Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10255
Views
0
Helpful
18
Replies

Windows native IKEv2 client on ASA gets "Error 13826: Failed to verify signature"

raarons
Level 1
Level 1

‎08-21-2015 04:58 AM

Hi all

I am setting up a remote access VPN from Windows clients to ASA version 9.3(3) using native IKEv2 on the client, and machine authentication only.  Everything seems to work fine as far as the ASA is concerned, but immedaitely after the VPN negotiates on the ASA, the Windows client drops the connection with "Error 13826: Failed to verify signature".

The ASA logs are good, and in the few seconds between the VPN going up and the Windows client dropping it, I see:

vpn# show vpn-sessiondb ra-ikev2

Session Type: Generic Remote-Access IKEv2 IPsec

Username     : cn=VPN7.xxxx.yyyy.com
Index        : 184
Assigned IP  : 192.168.101.1          Public IP    : 192.168.4.7
Protocol     : IKEv2 IPsec
License      : AnyConnect Premium
Encryption   : IKEv2: (1)3DES  IPsec: (1)AES256
Hashing      : IKEv2: (1)SHA256  IPsec: (1)SHA1
Bytes Tx     : 0                      Bytes Rx     : 0
Group Policy : GroupPolicy_MIAB-Certificate
Tunnel Group : MIAB-Certificate
Login Time   : 12:44:36 GMT/BDT Fri Aug 21 2015
Duration     : 0h:00m:42s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : c0a80302000b800055d70f24
Security Grp : none

The debugs also look good on the ASA:

Aug 21 2015 12:44:36: %ASA-7-713906: IKE Receiver: Packet received on 192.168.4.10:500 from 192.168.4.7:500
Aug 21 2015 12:44:36: %ASA-5-750002: Local:192.168.4.10:500 Remote:192.168.4.7:500 Username:Unknown IKEv2 Received a IKE_INIT_SA request
Aug 21 2015 12:44:36: %ASA-6-302015: Built inbound UDP connection 61819 for outside:192.168.4.7/4500 (192.168.4.7/4500) to identity:192.168.4.10/4500 (192.168.4.10/4500)
Aug 21 2015 12:44:36: %ASA-7-713906: IKE Receiver: Packet received on 192.168.4.10:4500 from 192.168.4.7:4500
Aug 21 2015 12:44:36: %ASA-7-717036: Looking for a tunnel group match based on certificate maps for peer certificate with serial number: 7000000014F1CDD4A040271D08000000000014, subject name: cn=VPN7.xxx.yyy.com, issuer_name: cn=AAA,dc=xxx,dc=yyy,dc=com.
Aug 21 2015 12:44:36: %ASA-7-717038: Tunnel group match found. Tunnel Group: MIAB-Certificate, Peer certificate: serial number: 7000000014F1CDD4A040271D08000000000014, subject name: cn=VPN7.xxx.yyy.com, issuer_name: cn=AAA,dc=xxx,dc=yyy,dc=com.
Aug 21 2015 12:44:36: %ASA-7-717025: Validating certificate chain containing 1 certificate(s).
Aug 21 2015 12:44:36: %ASA-7-717029: Identified client certificate within certificate chain. serial number: 7000000014F1CDD4A040271D08000000000014, subject name: cn=VPN7.xxx.yyy.com.
Aug 21 2015 12:44:36: %ASA-7-717030: Found a suitable trustpoint yyy.com to validate certificate.
Aug 21 2015 12:44:36: %ASA-6-717022: Certificate was successfully validated. serial number: 7000000014F1CDD4A040271D08000000000014, subject name:  cn=VPN7.xxx.yyy.com.
Aug 21 2015 12:44:36: %ASA-6-717028: Certificate chain was successfully validated with warning, revocation status was not checked.
Aug 21 2015 12:44:36: %ASA-7-113028: Extraction of username from VPN client certificate has been requested.  [Request 35]
Aug 21 2015 12:44:36: %ASA-7-113028: Extraction of username from VPN client certificate has started.  [Request 35]
Aug 21 2015 12:44:36: %ASA-7-113028: Extraction of username from VPN client certificate has finished successfully.  [Request 35]
Aug 21 2015 12:44:36: %ASA-7-113028: Extraction of username from VPN client certificate has been requested.  [Request 36]
Aug 21 2015 12:44:36: %ASA-7-113028: Extraction of username from VPN client certificate has completed.  [Request 35]
Aug 21 2015 12:44:36: %ASA-7-113028: Extraction of username from VPN client certificate has started.  [Request 36]
Aug 21 2015 12:44:36: %ASA-7-113028: Extraction of username from VPN client certificate has finished successfully.  [Request 36]
Aug 21 2015 12:44:36: %ASA-7-113028: Extraction of username from VPN client certificate has completed.  [Request 36]
Aug 21 2015 12:44:36: %ASA-6-113009: AAA retrieved default group policy (GroupPolicy_MIAB-Certificate) for user = cn=VPN7.xxx.yyy.com
Aug 21 2015 12:44:36: %ASA-7-734003: DAP: User cn=VPN7.xxx.yyy.com, Addr 192.168.4.7: Session Attribute aaa.cisco.grouppolicy = GroupPolicy_MIAB-Certificate
Aug 21 2015 12:44:36: %ASA-7-734003: DAP: User cn=VPN7.xxx.yyy.com, Addr 192.168.4.7: Session Attribute aaa.cisco.username = cn=VPN7.xxx.yyy.com
Aug 21 2015 12:44:36: %ASA-7-734003: DAP: User cn=VPN7.xxx.yyy.com, Addr 192.168.4.7: Session Attribute aaa.cisco.username1 = cn=VPN7.xxx.yyy.com
Aug 21 2015 12:44:36: %ASA-7-734003: DAP: User cn=VPN7.xxx.yyy.com, Addr 192.168.4.7: Session Attribute aaa.cisco.username2 =
Aug 21 2015 12:44:36: %ASA-7-734003: DAP: User cn=VPN7.xxx.yyy.com, Addr 192.168.4.7: Session Attribute aaa.cisco.tunnelgroup = MIAB-Certificate
Aug 21 2015 12:44:36: %ASA-6-734001: DAP: User cn=VPN7.xxx.yyy.com, Addr 192.168.4.7, Connection IPSec-IKEv2-Generic-RA: The following DAP records were selected for this connection: DfltAccessPolicy
Aug 21 2015 12:44:36: %ASA-7-737001: IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ'
Aug 21 2015 12:44:36: %ASA-6-737005: IPAA: DHCP configured, request succeeded for tunnel-group 'MIAB-Certificate'
Aug 21 2015 12:44:36: %ASA-7-737001: IPAA: Received message 'UTL_IP_DHCP_ADDR'
Aug 21 2015 12:44:36: %ASA-4-751014: Local:192.168.4.10:4500 Remote:192.168.4.7:4500 Username:cn=VPN7.xxx.yyy.com IKEv2 Warning Configuration Payload request for attribute 0x5ba0 could not be processed. Error: Unknown/Unsupported Attribute
Aug 21 2015 12:44:36: %ASA-4-751014: Local:192.168.4.10:4500 Remote:192.168.4.7:4500 Username:cn=VPN7.xxx.yyy.com IKEv2 Warning Configuration Payload request for attribute 0x5ba1 could not be processed. Error: Unknown/Unsupported Attribute
Aug 21 2015 12:44:36: %ASA-4-750012: Local:192.168.4.10:4500 Remote:192.168.4.7:4500 Username:cn=cn=VPN7.xxx.yyy.com IKEv2 Selected IKEv2 encryption algorithm (3DES) is not strong enough to secure proposed IPsec encryption algorithm (AES-CBC-256).
Aug 21 2015 12:44:36: %ASA-5-750006: Local:192.168.4.10:4500 Remote:192.168.4.7:4500 cn=VPN7.xxx.yyy.com IKEv2 SA UP. Reason: New Connection Established
Aug 21 2015 12:44:36: %ASA-7-746012: user-identity: Add IP-User mapping 192.168.101.1 - LOCAL\cn=VPN7.xxx.yyy.com Succeeded - VPN user
Aug 21 2015 12:44:36: %ASA-5-751025: Local:192.168.4.10:4500 Remote:192.168.4.7:4500 Username:cn=VPN7.xxx.yyy.com IKEv2 Group:GroupPolicy_MIAB-Certificate IPv4 Address=192.168.101.1 IPv6 address=:: assigned to session
Aug 21 2015 12:44:36: %ASA-6-751026: Local:192.168.4.10:4500 Remote:192.168.4.7:4500 Username:cn=VPN7.xxx.yyy.com IKEv2 Client OS:  Client:
Aug 21 2015 12:44:36: %ASA-6-602303: IPSEC: An outbound remote access SA (SPI= 0x21B42283) between 192.168.4.10 and 192.168.4.7 (user= cn=VPN7.internal.miabdemo        has been created.
Aug 21 2015 12:44:36: %ASA-7-609001: Built local-host outside:192.168.101.1
Aug 21 2015 12:44:36: %ASA-6-602303: IPSEC: An inbound remote access SA (SPI= 0x4AA20552) between 192.168.4.10 and 192.168.4.7 (user= cn=VPN7.internal.miabdemo.       has been created.

 

 

Has anyone seen this before, and if so, does anyone know the cause?  Googling for this doesn't return anything useful, but there are similar error codes listed here that point to EKU issues.  The ASA certificate contains the Server Authentication EKU, but not the IPSec Intermediate EKU (I'm waiting for a new certificate with it), but the link above suggests only the Server Authentication EKU should be sufficient.  The ASA certificate is issued by a trusted root on the client, and has a SAN that is the FQDN of the ASA.

Any help gratefully received.

 

 

1 person had this problem
Labels:
0 Helpful
18 Replies 18

jakrupa
Cisco Employee
Cisco Employee
In response to next.kraftwerke

‎05-13-2018 04:46 AM

There are only couple of releases where the PRF SHA2 works with 3rd party. Fix for CSCvb21927 has been implemented and then pulled back because it broke different functionality.

The current status of CSCvb21927 is that in order to have an ultimate fix, RFC 7427 needs to be implemented. 

I don't have any ETA to share unfortunately.

0 Helpful

netops0011111
Level 1
Level 1
In response to jakrupa

‎04-24-2019 08:08 AM

We are facing the same problem, any update on this ?

 

Sorry for reviving an old thread...

 

Eric

0 Helpful

next.kraftwerke
Level 1
Level 1
In response to netops0011111

‎04-24-2019 08:21 AM

Hi netops0011111,

 

yep there is an Update on this - you need to Upgrade to 9.12.1 and Configure an special Command.

 

tunnel-group <TUNNELGROUPNAME> ipsec-attributes
ikev2 rsa-sig-hash sha1

With this Configuration on 9.12.1 it runs like a charm.

0 Helpful

netops0011111
Level 1
Level 1
In response to next.kraftwerke

‎04-24-2019 10:20 AM

Hi,

 

Still having the same problem, I'm pretty sure I'm missing something.

 

Other than 9.12 and the special command, is there anything else I should check ?

 

Regards

 

Eric

 

0 Helpful
Customers Also Viewed These Support Documents