cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15952
Views
5
Helpful
4
Comments
Brandon Turpin
Cisco Employee
Cisco Employee

Problem:

When attempting to connect a SPA525G/G2 phone via SSLVPN to a UC500, the VPN doesn't establish and the following message is seen on the phone screen:

"Failed to obtain WebVPN Cookie"


One of the most common reasons for this is due to an issue with the SSL Certificate.  This document is meant to help identify if there is a certificate issue and help resolve it.

Prerequisites:

  • SSLVPN Server is configured
  • SPA525G/G2 has been provisioned

Troubleshooting:

1.  Try browsing to the UC500 webvpn portal with a browser:

https://<UC500 WAN IP Address>


2.  If the page doesn't come up and you get a message like 'cannot display the webpage', then continue with Step 3.

3.  Open CLI access to UC500.

4.  Setup logging to the buffer and run the following debugs:

UC540(config)#no logging console
UC540(config)#logging buffer 512000 debug
UC540(config)#debug crypto pki mess
UC540(config)#debug crypto pki trans
UC540(config)#debug ssl openssl error


5.  Try to browse to the UC500 webvpn portal with a browser again.

6.  Run 'show log'.  Check for logs similar to the following:

000295: Apr 28 18:46:04.699: CRYPTO_PKI: Identity selected (TP-self-signed-908968563) for session 10009
000296: Apr 28 18:46:04.699: opssl_SetPKIInfo entry
000297: Apr 28 18:46:04.699: CRYPTO_PKI: Identity selected (TP-self-signed-908968563) for session 2000A
000298: Apr 28 18:46:04.699: CRYPTO_PKI: Can not select private key
000299: Apr 28 18:46:04.699: CRYPTO_OPSSL: Can't find router private key
000300: Apr 28 18:46:04.699: CRYPTO_PKI: unlocked trustpoint TP-self-signed-908968563, refcount is 1
000301: Apr 28 18:46:04.703: CRYPTO_PKI: unlocked trustpoint TP-self-signed-908968563, refcount is 0


7.  If you see messages like those above, there is an issue with the certificate used for SSLVPN.

Delete and Rebuild Trustpoint

1.  Check webvpn configuration to see which trustpoint is being used:

UC540#sh run | se webvpn
webvpn gateway SDM_WEBVPN_GATEWAY_1
ip address 172.16.1.10 port 443 
ssl trustpoint TP-self-signed-908968563
inservice


2.  Check configuration of the trustpoint.  Please note the trustpoint name as we will use that in the future.

UC540#sh run | se trustpoint TP-self-signed-908968563
crypto pki trustpoint TP-self-signed-908968563
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-908968563
revocation-check none


3. Verify RSA keypairs exist for that trustpoint.

UC_540#sh cry key mypubkey rsa TP-self-signed-908968563
% Key pair was generated at: 04:22:18 EST Feb 7 2011
Key name: TP-self-signed-908968563
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
  (redacted)


4.  Delete the trustpoint.

UC540#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
UC540(config)#no crypto pki trustpoint TP-self-signed-908968563
% Removing an enrolled trustpoint will destroy all certificates
received from the related Certificate Authority.

Are you sure you want to do this? [yes/no]: yes
% Be sure to ask the CA administrator to revoke your certificates.


5.  Recreate the trustpoint using the previous configuration and adding the 'rsakeypair' command.  Typically, we've seeing the 'rsakeypair' command missing, so we want to add it back.  Note: When creating the trustpoint, it's easiest to use the same trustpoint name as was previously configured so you don't have to go back and check where it's referenced.

UC_540(config)#crypto pki trustpoint TP-self-signed-908968563
UC_540(ca-trustpoint)#enrollment selfsigned
UC_540(ca-trustpoint)#subject-name cn=IOS-Self-Signed-Certificate-908968563
UC_540(ca-trustpoint)#revocation-check none
UC_540(ca-trustpoint)#rsakeypair TP-self-signed-908968563
UC_540(ca-trustpoint)#exit
UC_540(config)#


6.  Enroll the trustpoint to generate a new certificate.

UC540(config)#crypto pki enroll TP-self-signed-908968563
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

UC540(config)#end
UC540#


7.  Verify the certificate is created.

UC540#show crypto pki cert TP-self-signed-908968563
Router Self-Signed Certificate
  Status: Available
  Certificate Serial Number (hex): 02
  Certificate Usage: General Purpose
  Issuer:
    hostname=UC540
    cn=IOS-Self-Signed-Certificate-908968563
  Subject:
    Name: UC540
    hostname=UC540
    cn=IOS-Self-Signed-Certificate-908968563
  Validity Date:
    start date: 09:49:03 PST Oct 3 2011
    end   date: 16:00:00 PST Dec 31 2019
  Associated Trustpoints: TP-self-signed-908968563


8.  Test and verify you can browse to the UC500 webvpn portal.

9.  If you now see the portal page, then check to verify if your phone can now connect.

Comments
apatterson
Beginner
Beginner

I'm receiving this webvpn cookie error on all my SPA525G(and G2) phones when using a phone load greater than 7.4.4.  I'm actually terminating to an ASA5505 (and then registering to the UC500 behind it).  These specific instructions do not translate to the ASA. 

Does anyone know of a way to resolve this error on the ASA?  Phone load 7.4.4 webvpn connects great.  No higher load will work, though.

Allen Cook
Community Member

I am using SSL to connect to an ASA5505 in front of an Asterisk server.  7.4.3 works fine but is two years old.  Is there a solution?

focusonit
Beginner
Beginner

Perfect - thanks a Million!

We just had a power failure and although everything had been saved previously we had no VPN access afterwards. This document was easy to find and 100% on the money. Followed the instructions and we were up and running within minutes.

Thanks!

c.holloway
Beginner
Beginner

This error can be given to your phones for reasons totally unrelated to the certificate.  I run into this when I try to connect a test phone to a SSL VPN on a particular port on my offices network (i'm not sure what it is about the port config that causes this problem) while it works on other ports.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: