RE: Problems installing CA cert on VPN 3005

From: Joseph Brunner (joe@affirmedsystems.com)
Date: Wed Oct 08 2008 - 12:32:41 ART

Tim, from Cisco's site you can download the vpn 3000's error messages and
what they mean.

Regarding this issue,

Delete the internal cert that came with the conc and reboot the box and try
again.

-Joe

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Tim
Sent: Wednesday, October 08, 2008 11:29 AM
To: security@groupstudy.com; ccielab@groupstudy.com
Subject: FW: Problems installing CA cert on VPN 3005

Hi Guys,

 

I have a VPN 3005 and CA server on the same subnet.

 

 

      CA .101 -------- 183.1.119.x ------ .11 VPN 3k public Int

 

 

Both devices have their date and time set to match.

 

The VPN3k is configured with a domain name and a host name and doesn't have
any filter on its public int so all traffic is allowed.

 

The CA Server (a Windows 2000 Server) has successfully issued Cert's to
other devices in the network.

 

Several times I tried to install the CA cert on the VPN 3k but it doesn't
work. To see what's going on I turned on logging to the max level on the
VPN 3k.

 

I sent the syslog output to Kiwi syslog which is easier to read and is on
the same box as the CA. The output is shown below..

 

Notice message #29, 34 (Object not found), 45 and 48.

 

I wish I knew what those messages were telling me and what I could do to fix
the problem.

 

Can anyone help me understand what's going on and what needs to be done to
fix this problem?

 

Thanks, Tim

 

 

 
message #

 
|

 
V

10-08-2008 06:34:07 Local7.Notice 183.1.119.11 48
10/08/2008 06:31:41.830 SEV=4 CERT/73 RPT=11 An error occurred during the
transport of the SCEP message via HTTP. See the CLIENT event class for more
information.

10-08-2008 06:34:07 Local7.Debug 183.1.119.11 47
10/08/2008 06:31:41.830 SEV=7 CLIENT/35 RPT=11 CLIENT_Callback(3843ff4, 10)

10-08-2008 06:34:07 Local7.Debug 183.1.119.11 46
10/08/2008 06:31:41.830 SEV=7 CLIENT/34 RPT=11
CLIENT_BuildResponse(3843ff4, 10)

10-08-2008 06:34:07 Local7.Notice 183.1.119.11 45
10/08/2008 06:31:41.830 SEV=4 CLIENT/7 RPT=6 Transaction timed out

10-08-2008 06:34:07 Local7.Debug 183.1.119.11 44
10/08/2008 06:31:41.830 SEV=7 CLIENT/32 RPT=6 CLIENT_Timeout(3843ff4, 10)

10-08-2008 06:33:57 Local7.Debug 183.1.119.11 43
10/08/2008 06:31:31.970 SEV=9 CLIENT/24 RPT=14 Number of bytes still
needed: 111

10-08-2008 06:33:57 Local7.Debug 183.1.119.11 42
10/08/2008 06:31:31.970 SEV=7 CLIENT/33 RPT=14 CLIENT_ProcSvrData(3843ff4,
10)

10-08-2008 06:33:57 Local7.Debug 183.1.119.11 41
10/08/2008 06:31:31.970 SEV=7 CLIENT/31 RPT=14 CLIENT_RcvResp(3843ff4, 10)

10-08-2008 06:33:57 Local7.Debug 183.1.119.11 40
10/08/2008 06:31:31.960 SEV=9 CLIENT/24 RPT=13 Number of bytes still
needed: 111

10-08-2008 06:33:57 Local7.Debug 183.1.119.11 39
10/08/2008 06:31:31.960 SEV=7 CLIENT/33 RPT=13 CLIENT_ProcSvrData(3843ff4,
10)

10-08-2008 06:33:57 Local7.Debug 183.1.119.11 38
10/08/2008 06:31:31.960 SEV=9 CLIENT/22 RPT=27 Received HTTP Header line:
Content-Length: 111

10-08-2008 06:33:57 Local7.Debug 183.1.119.11 37
10/08/2008 06:31:31.960 SEV=9 CLIENT/22 RPT=26 Received HTTP Header line:
Content-Type: text/html

10-08-2008 06:33:57 Local7.Debug 183.1.119.11 36
10/08/2008 06:31:31.960 SEV=9 CLIENT/22 RPT=25 Received HTTP Header line:
Date: Wed, 08 Oct 2008 10:33:57 GMT

10-08-2008 06:33:57 Local7.Debug 183.1.119.11 35
10/08/2008 06:31:31.960 SEV=9 CLIENT/22 RPT=24 Received HTTP Header line:
Server: Microsoft-IIS/5.0

10-08-2008 06:33:57 Local7.Debug 183.1.119.11 34
10/08/2008 06:31:31.960 SEV=9 CLIENT/22 RPT=23 Received HTTP Header line:
HTTP/1.1 404 Object Not Found

10-08-2008 06:33:57 Local7.Debug 183.1.119.11 33
10/08/2008 06:31:31.960 SEV=7 CLIENT/31 RPT=13 CLIENT_RcvResp(3843ff4, 10)

10-08-2008 06:33:57 Local7.Debug 183.1.119.11 31
10/08/2008 06:31:31.830 SEV=9 CLIENT/21 RPT=6 HTTP client sending GET
/certsrv/mscep/mscep.dll?operation=GetCACert&message=vpn-------3005
HTTP/1.0...

10-08-2008 06:33:57 Local7.Debug 183.1.119.11 30
10/08/2008 06:31:31.830 SEV=7 CLIENT/30 RPT=11 CLIENT_SendReq(3843ff4, 10)

10-08-2008 06:33:57 Local7.Debug 183.1.119.11 29
10/08/2008 06:31:31.830 SEV=7 CLIENT/5 RPT=11 No filter configured on
interface 2

10-08-2008 06:33:57 Local7.Debug 183.1.119.11 28
10/08/2008 06:31:31.830 SEV=7 CLIENT/37 RPT=11 CLIENT_OpenFilter(3843ff4,
10)

10-08-2008 06:33:57 Local7.Debug 183.1.119.11 27
10/08/2008 06:31:31.830 SEV=7 CLIENT/29 RPT=11 CLIENT_BuildReq(3843ff4, 10)

10-08-2008 06:33:57 Local7.Debug 183.1.119.11 26
10/08/2008 06:31:31.830 SEV=7 CLIENT/28 RPT=11
CLIENT_InitiateRequest(3843ff4, 10)

 

  _____

From: Farrukh Haroon [mailto:farrukhharoon@gmail.com]
Sent: Wednesday, October 08, 2008 5:54 AM
To: Tim
Cc: security@groupstudy.com
Subject: Re: Problems installing CA cert on VPN 3005

 

Did you enable the SCEP traffic both ways on the VPNC Public Filter?

 

Also is your CA fixed now, you had issues with R4 before (SCEP related)?

Are you logging to the maximum level for those EVENT classes in the VPNC?

 

Regards

 

Farrukh

 

 

On Wed, Oct 8, 2008 at 12:46 PM, Tim <ccie2be@nyc.rr.com> wrote:

Farrukh,

I DID exactly follow that procedure which is why I'm so baffled.

I set a hostname and domain name, set the clock, and followed that procedure
exactly.

From the syslog below, you can see some messages (message 20 and 23) that
indicate problems but I don't know what to do to fix those problems.

Do you know if there's a way I can get more detailed syslog messages?

The docs say to enable syslog classes CERT and CLIENT which I did but as you
can see from the output below, it doesn't tell you very much useful info.

Any ideas?

Thanks so much for all your help.

Tim

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Farrukh Haroon
Sent: Tuesday, October 07, 2008 10:40 PM
To: Tim
Cc: security@groupstudy.com
Subject: Re: Problems installing CA cert on VPN 3005

Please try to follow the step by step procedure as outlined on the following
link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note0918
<http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note091
86a008009406e.shtml>
6a008009406e.shtml

Regards

Farrukh

On Wed, Oct 8, 2008 at 2:32 AM, Tim <ccie2be@nyc.rr.com> wrote:

> Hi Guys,
>
>
>
> I'm trying to install the CA cert on a VPN 3005 using SCEP.
>
>
>
> The CA is on the same subnet as the public interface of the VPN 3005.
>
>
>
> Both devices can ping each other.
>
>
>
> The date/time on both devices are the same.
>
>
>
> I have successfully installed the CA cert on other devices in the network
> so
> I know the CA is properly configured.
>
>
>
> Below is the output of the log file from the VPN 3005.
>
>
>
> Can anyone see what the problem is from looking at the log output below?
>
>
>
> If not, any ideas on how to troubleshoot this problem?
>
>
>
> Thanks kindly, Tim
>
>
>
>
>
> 1 10/07/2008 19:23:50.590 SEV=7 CLIENT/28 RPT=10
> CLIENT_InitiateRequest(38134c4, 9)
>
> 2 10/07/2008 19:23:50.590 SEV=7 CLIENT/29 RPT=10
> CLIENT_BuildReq(38134c4, 9)
>
> 3 10/07/2008 19:23:50.590 SEV=7 CLIENT/37 RPT=10
> CLIENT_OpenFilter(38134c4, 9)
>
> 4 10/07/2008 19:23:50.590 SEV=7 CLIENT/5 RPT=10
> No filter configured on interface 2
>
> 5 10/07/2008 19:23:50.590 SEV=7 CLIENT/30 RPT=10
> CLIENT_SendReq(38134c4, 9)
>
> 6 10/07/2008 19:23:50.590 SEV=9 CLIENT/21 RPT=5
> HTTP client sending GET
> /certsrv/mscep/mscep.dll?operation=GetCACert&message=vpn
> ---3005 HTTP/1.0
>
> 8 10/07/2008 19:23:50.790 SEV=7 CLIENT/31 RPT=11
> CLIENT_RcvResp(38134c4, 9)
>
> 9 10/07/2008 19:23:50.790 SEV=9 CLIENT/22 RPT=18
> Received HTTP Header line: HTTP/1.1 404 Object Not Found
>
> 10 10/07/2008 19:23:50.790 SEV=9 CLIENT/22 RPT=19
> Received HTTP Header line: Server: Microsoft-IIS/5.0
>
> 11 10/07/2008 19:23:50.790 SEV=9 CLIENT/22 RPT=20
> Received HTTP Header line: Date: Tue, 07 Oct 2008 23:26:13 GMT
>
> 12 10/07/2008 19:23:50.790 SEV=9 CLIENT/22 RPT=21
> Received HTTP Header line: Content-Type: text/html
>
> 13 10/07/2008 19:23:50.790 SEV=9 CLIENT/22 RPT=22
> Received HTTP Header line: Content-Length: 111
>
> 14 10/07/2008 19:23:50.790 SEV=7 CLIENT/33 RPT=11
> CLIENT_ProcSvrData(38134c4, 9)
>
> 15 10/07/2008 19:23:50.790 SEV=9 CLIENT/24 RPT=11
> Number of bytes still needed: 111
>
> 16 10/07/2008 19:23:50.790 SEV=7 CLIENT/31 RPT=12
> CLIENT_RcvResp(38134c4, 9)
>
> 17 10/07/2008 19:23:50.790 SEV=7 CLIENT/33 RPT=12
> CLIENT_ProcSvrData(38134c4, 9)
>
> 18 10/07/2008 19:23:50.790 SEV=9 CLIENT/24 RPT=12
> Number of bytes still needed: 111
>
> 19 10/07/2008 19:24:00.590 SEV=7 CLIENT/32 RPT=5
> CLIENT_Timeout(38134c4, 9)
>
> 20 10/07/2008 19:24:00.590 SEV=4 CLIENT/7 RPT=5
> Transaction timed out
>
> 21 10/07/2008 19:24:00.590 SEV=7 CLIENT/34 RPT=10
> CLIENT_BuildResponse(38134c4, 9)
>
> 22 10/07/2008 19:24:00.590 SEV=7 CLIENT/35 RPT=10
> CLIENT_Callback(38134c4, 9)
>
> 23 10/07/2008 19:24:00.590 SEV=4 CERT/73 RPT=10
> An error occurred during the transport of the SCEP message via HTTP.
> See the CLIENT event class for more information.
>
> 25 10/07/2008 19:24:00.590 SEV=7 CLIENT/36 RPT=10
> CLIENT_Cleanup(38134c4, 9)

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:20 ARST