Re: FW: Problems installing CA cert on VPN 3005

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Wed Oct 08 2008 - 15:26:12 ART

Why don't you try manual enrollment, It could be an SCEP related issue?

Regards

Farrukh

On Wed, Oct 8, 2008 at 6:29 PM, Tim <ccie2be@nyc.rr.com> wrote:

> Hi Guys,
>
>
>
> I have a VPN 3005 and CA server on the same subnet.
>
>
>
>
>
> CA .101 -------- 183.1.119.x ------ .11 VPN 3k public Int
>
>
>
>
>
> Both devices have their date and time set to match.
>
>
>
> The VPN3k is configured with a domain name and a host name and doesn't have
> any filter on its public int so all traffic is allowed.
>
>
>
> The CA Server (a Windows 2000 Server) has successfully issued Cert's to
> other devices in the network.
>
>
>
> Several times I tried to install the CA cert on the VPN 3k but it doesn't
> work. To see what's going on I turned on logging to the max level on the
> VPN 3k.
>
>
>
> I sent the syslog output to Kiwi syslog which is easier to read and is on
> the same box as the CA. The output is shown below..
>
>
>
> Notice message #29, 34 (Object not found), 45 and 48.
>
>
>
> I wish I knew what those messages were telling me and what I could do to
> fix
> the problem.
>
>
>
> Can anyone help me understand what's going on and what needs to be done to
> fix this problem?
>
>
>
> Thanks, Tim
>
>
>
>
>
>
> message #
>
>
> |
>
>
> V
>
> 10-08-2008 06:34:07 Local7.Notice 183.1.119.11 48
> 10/08/2008 06:31:41.830 SEV=4 CERT/73 RPT=11 An error occurred during the
> transport of the SCEP message via HTTP. See the CLIENT event class for more
> information.
>
> 10-08-2008 06:34:07 Local7.Debug 183.1.119.11 47
> 10/08/2008 06:31:41.830 SEV=7 CLIENT/35 RPT=11 CLIENT_Callback(3843ff4,
> 10)
>
> 10-08-2008 06:34:07 Local7.Debug 183.1.119.11 46
> 10/08/2008 06:31:41.830 SEV=7 CLIENT/34 RPT=11
> CLIENT_BuildResponse(3843ff4, 10)
>
> 10-08-2008 06:34:07 Local7.Notice 183.1.119.11 45
> 10/08/2008 06:31:41.830 SEV=4 CLIENT/7 RPT=6 Transaction timed out
>
> 10-08-2008 06:34:07 Local7.Debug 183.1.119.11 44
> 10/08/2008 06:31:41.830 SEV=7 CLIENT/32 RPT=6 CLIENT_Timeout(3843ff4, 10)
>
> 10-08-2008 06:33:57 Local7.Debug 183.1.119.11 43
> 10/08/2008 06:31:31.970 SEV=9 CLIENT/24 RPT=14 Number of bytes still
> needed: 111
>
> 10-08-2008 06:33:57 Local7.Debug 183.1.119.11 42
> 10/08/2008 06:31:31.970 SEV=7 CLIENT/33 RPT=14 CLIENT_ProcSvrData(3843ff4,
> 10)
>
> 10-08-2008 06:33:57 Local7.Debug 183.1.119.11 41
> 10/08/2008 06:31:31.970 SEV=7 CLIENT/31 RPT=14 CLIENT_RcvResp(3843ff4, 10)
>
> 10-08-2008 06:33:57 Local7.Debug 183.1.119.11 40
> 10/08/2008 06:31:31.960 SEV=9 CLIENT/24 RPT=13 Number of bytes still
> needed: 111
>
> 10-08-2008 06:33:57 Local7.Debug 183.1.119.11 39
> 10/08/2008 06:31:31.960 SEV=7 CLIENT/33 RPT=13 CLIENT_ProcSvrData(3843ff4,
> 10)
>
> 10-08-2008 06:33:57 Local7.Debug 183.1.119.11 38
> 10/08/2008 06:31:31.960 SEV=9 CLIENT/22 RPT=27 Received HTTP Header line:
> Content-Length: 111
>
> 10-08-2008 06:33:57 Local7.Debug 183.1.119.11 37
> 10/08/2008 06:31:31.960 SEV=9 CLIENT/22 RPT=26 Received HTTP Header line:
> Content-Type: text/html
>
> 10-08-2008 06:33:57 Local7.Debug 183.1.119.11 36
> 10/08/2008 06:31:31.960 SEV=9 CLIENT/22 RPT=25 Received HTTP Header line:
> Date: Wed, 08 Oct 2008 10:33:57 GMT
>
> 10-08-2008 06:33:57 Local7.Debug 183.1.119.11 35
> 10/08/2008 06:31:31.960 SEV=9 CLIENT/22 RPT=24 Received HTTP Header line:
> Server: Microsoft-IIS/5.0
>
> 10-08-2008 06:33:57 Local7.Debug 183.1.119.11 34
> 10/08/2008 06:31:31.960 SEV=9 CLIENT/22 RPT=23 Received HTTP Header line:
> HTTP/1.1 404 Object Not Found
>
> 10-08-2008 06:33:57 Local7.Debug 183.1.119.11 33
> 10/08/2008 06:31:31.960 SEV=7 CLIENT/31 RPT=13 CLIENT_RcvResp(3843ff4, 10)
>
> 10-08-2008 06:33:57 Local7.Debug 183.1.119.11 31
> 10/08/2008 06:31:31.830 SEV=9 CLIENT/21 RPT=6 HTTP client sending GET
> /certsrv/mscep/mscep.dll?operation=GetCACert&message=vpn-------3005
> HTTP/1.0...
>
> 10-08-2008 06:33:57 Local7.Debug 183.1.119.11 30
> 10/08/2008 06:31:31.830 SEV=7 CLIENT/30 RPT=11 CLIENT_SendReq(3843ff4, 10)
>
> 10-08-2008 06:33:57 Local7.Debug 183.1.119.11 29
> 10/08/2008 06:31:31.830 SEV=7 CLIENT/5 RPT=11 No filter configured on
> interface 2
>
> 10-08-2008 06:33:57 Local7.Debug 183.1.119.11 28
> 10/08/2008 06:31:31.830 SEV=7 CLIENT/37 RPT=11 CLIENT_OpenFilter(3843ff4,
> 10)
>
> 10-08-2008 06:33:57 Local7.Debug 183.1.119.11 27
> 10/08/2008 06:31:31.830 SEV=7 CLIENT/29 RPT=11 CLIENT_BuildReq(3843ff4,
> 10)
>
> 10-08-2008 06:33:57 Local7.Debug 183.1.119.11 26
> 10/08/2008 06:31:31.830 SEV=7 CLIENT/28 RPT=11
> CLIENT_InitiateRequest(3843ff4, 10)
>
>
>
> _____
>
> From: Farrukh Haroon [mailto:farrukhharoon@gmail.com]
> Sent: Wednesday, October 08, 2008 5:54 AM
> To: Tim
> Cc: security@groupstudy.com
> Subject: Re: Problems installing CA cert on VPN 3005
>
>
>
> Did you enable the SCEP traffic both ways on the VPNC Public Filter?
>
>
>
> Also is your CA fixed now, you had issues with R4 before (SCEP related)?
>
> Are you logging to the maximum level for those EVENT classes in the VPNC?
>
>
>
> Regards
>
>
>
> Farrukh
>
>
>
>
>
> On Wed, Oct 8, 2008 at 12:46 PM, Tim <ccie2be@nyc.rr.com> wrote:
>
> Farrukh,
>
> I DID exactly follow that procedure which is why I'm so baffled.
>
> I set a hostname and domain name, set the clock, and followed that
> procedure
> exactly.
>
> From the syslog below, you can see some messages (message 20 and 23) that
> indicate problems but I don't know what to do to fix those problems.
>
> Do you know if there's a way I can get more detailed syslog messages?
>
> The docs say to enable syslog classes CERT and CLIENT which I did but as
> you
> can see from the output below, it doesn't tell you very much useful info.
>
> Any ideas?
>
> Thanks so much for all your help.
>
> Tim
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Farrukh Haroon
> Sent: Tuesday, October 07, 2008 10:40 PM
> To: Tim
> Cc: security@groupstudy.com
> Subject: Re: Problems installing CA cert on VPN 3005
>
> Please try to follow the step by step procedure as outlined on the
> following
> link:
>
>
> http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note0918
> <
> http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note091
> 86a008009406e.shtml<http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a008009406e.shtml>
> >
> 6a008009406e.shtml
>
> Regards
>
> Farrukh
>
> On Wed, Oct 8, 2008 at 2:32 AM, Tim <ccie2be@nyc.rr.com> wrote:
>
> > Hi Guys,
> >
> >
> >
> > I'm trying to install the CA cert on a VPN 3005 using SCEP.
> >
> >
> >
> > The CA is on the same subnet as the public interface of the VPN 3005.
> >
> >
> >
> > Both devices can ping each other.
> >
> >
> >
> > The date/time on both devices are the same.
> >
> >
> >
> > I have successfully installed the CA cert on other devices in the network
> > so
> > I know the CA is properly configured.
> >
> >
> >
> > Below is the output of the log file from the VPN 3005.
> >
> >
> >
> > Can anyone see what the problem is from looking at the log output below?
> >
> >
> >
> > If not, any ideas on how to troubleshoot this problem?
> >
> >
> >
> > Thanks kindly, Tim
> >
> >
> >
> >
> >
> > 1 10/07/2008 19:23:50.590 SEV=7 CLIENT/28 RPT=10
> > CLIENT_InitiateRequest(38134c4, 9)
> >
> > 2 10/07/2008 19:23:50.590 SEV=7 CLIENT/29 RPT=10
> > CLIENT_BuildReq(38134c4, 9)
> >
> > 3 10/07/2008 19:23:50.590 SEV=7 CLIENT/37 RPT=10
> > CLIENT_OpenFilter(38134c4, 9)
> >
> > 4 10/07/2008 19:23:50.590 SEV=7 CLIENT/5 RPT=10
> > No filter configured on interface 2
> >
> > 5 10/07/2008 19:23:50.590 SEV=7 CLIENT/30 RPT=10
> > CLIENT_SendReq(38134c4, 9)
> >
> > 6 10/07/2008 19:23:50.590 SEV=9 CLIENT/21 RPT=5
> > HTTP client sending GET
> > /certsrv/mscep/mscep.dll?operation=GetCACert&message=vpn
> > ---3005 HTTP/1.0
> >
> > 8 10/07/2008 19:23:50.790 SEV=7 CLIENT/31 RPT=11
> > CLIENT_RcvResp(38134c4, 9)
> >
> > 9 10/07/2008 19:23:50.790 SEV=9 CLIENT/22 RPT=18
> > Received HTTP Header line: HTTP/1.1 404 Object Not Found
> >
> > 10 10/07/2008 19:23:50.790 SEV=9 CLIENT/22 RPT=19
> > Received HTTP Header line: Server: Microsoft-IIS/5.0
> >
> > 11 10/07/2008 19:23:50.790 SEV=9 CLIENT/22 RPT=20
> > Received HTTP Header line: Date: Tue, 07 Oct 2008 23:26:13 GMT
> >
> > 12 10/07/2008 19:23:50.790 SEV=9 CLIENT/22 RPT=21
> > Received HTTP Header line: Content-Type: text/html
> >
> > 13 10/07/2008 19:23:50.790 SEV=9 CLIENT/22 RPT=22
> > Received HTTP Header line: Content-Length: 111
> >
> > 14 10/07/2008 19:23:50.790 SEV=7 CLIENT/33 RPT=11
> > CLIENT_ProcSvrData(38134c4, 9)
> >
> > 15 10/07/2008 19:23:50.790 SEV=9 CLIENT/24 RPT=11
> > Number of bytes still needed: 111
> >
> > 16 10/07/2008 19:23:50.790 SEV=7 CLIENT/31 RPT=12
> > CLIENT_RcvResp(38134c4, 9)
> >
> > 17 10/07/2008 19:23:50.790 SEV=7 CLIENT/33 RPT=12
> > CLIENT_ProcSvrData(38134c4, 9)
> >
> > 18 10/07/2008 19:23:50.790 SEV=9 CLIENT/24 RPT=12
> > Number of bytes still needed: 111
> >
> > 19 10/07/2008 19:24:00.590 SEV=7 CLIENT/32 RPT=5
> > CLIENT_Timeout(38134c4, 9)
> >
> > 20 10/07/2008 19:24:00.590 SEV=4 CLIENT/7 RPT=5
> > Transaction timed out
> >
> > 21 10/07/2008 19:24:00.590 SEV=7 CLIENT/34 RPT=10
> > CLIENT_BuildResponse(38134c4, 9)
> >
> > 22 10/07/2008 19:24:00.590 SEV=7 CLIENT/35 RPT=10
> > CLIENT_Callback(38134c4, 9)
> >
> > 23 10/07/2008 19:24:00.590 SEV=4 CERT/73 RPT=10
> > An error occurred during the transport of the SCEP message via HTTP.
> > See the CLIENT event class for more information.
> >
> > 25 10/07/2008 19:24:00.590 SEV=7 CLIENT/36 RPT=10
> > CLIENT_Cleanup(38134c4, 9)
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:20 ARST