Re: Problems installing CA cert on VPN 3005

From: Brandon Carroll (brandon.carroll@ascolta.com)
Date: Wed Oct 08 2008 - 15:55:39 ART

THis has probably already been asked, but is scep installed on the CA
server? Its not there on a MS server by default.

Just a thought.

Brandon Carroll
Senior Instructor
Ascolta
606 120th Ave NE
D-201
Bellevue, Wa. 98056

ph.206-850-2384

brandon.carroll@ascolta.com
http://www.ascolta.com
http://www.globalconfig.net
http://ccieprep.me

On Oct 8, 2008, at 11:26 AM, Farrukh Haroon wrote:

> Why don't you try manual enrollment, It could be an SCEP related
> issue?
>
> Regards
>
> Farrukh
>
> On Wed, Oct 8, 2008 at 6:29 PM, Tim <ccie2be@nyc.rr.com> wrote:
>
>> Hi Guys,
>>
>>
>>
>> I have a VPN 3005 and CA server on the same subnet.
>>
>>
>>
>>
>>
>> CA .101 -------- 183.1.119.x ------ .11 VPN 3k public
>> Int
>>
>>
>>
>>
>>
>> Both devices have their date and time set to match.
>>
>>
>>
>> The VPN3k is configured with a domain name and a host name and
>> doesn't have
>> any filter on its public int so all traffic is allowed.
>>
>>
>>
>> The CA Server (a Windows 2000 Server) has successfully issued
>> Cert's to
>> other devices in the network.
>>
>>
>>
>> Several times I tried to install the CA cert on the VPN 3k but it
>> doesn't
>> work. To see what's going on I turned on logging to the max level
>> on the
>> VPN 3k.
>>
>>
>>
>> I sent the syslog output to Kiwi syslog which is easier to read and
>> is on
>> the same box as the CA. The output is shown below..
>>
>>
>>
>> Notice message #29, 34 (Object not found), 45 and 48.
>>
>>
>>
>> I wish I knew what those messages were telling me and what I could
>> do to
>> fix
>> the problem.
>>
>>
>>
>> Can anyone help me understand what's going on and what needs to be
>> done to
>> fix this problem?
>>
>>
>>
>> Thanks, Tim
>>
>>
>>
>>
>>
>>
>> message #
>>
>>
>> |
>>
>>
>> V
>>
>> 10-08-2008 06:34:07 Local7.Notice
>> 183.1.119.11 48
>> 10/08/2008 06:31:41.830 SEV=4 CERT/73 RPT=11 An error occurred
>> during the
>> transport of the SCEP message via HTTP. See the CLIENT event class
>> for more
>> information.
>>
>> 10-08-2008 06:34:07 Local7.Debug
>> 183.1.119.11 47
>> 10/08/2008 06:31:41.830 SEV=7 CLIENT/35 RPT=11
>> CLIENT_Callback(3843ff4,
>> 10)
>>
>> 10-08-2008 06:34:07 Local7.Debug
>> 183.1.119.11 46
>> 10/08/2008 06:31:41.830 SEV=7 CLIENT/34 RPT=11
>> CLIENT_BuildResponse(3843ff4, 10)
>>
>> 10-08-2008 06:34:07 Local7.Notice
>> 183.1.119.11 45
>> 10/08/2008 06:31:41.830 SEV=4 CLIENT/7 RPT=6 Transaction timed out
>>
>> 10-08-2008 06:34:07 Local7.Debug
>> 183.1.119.11 44
>> 10/08/2008 06:31:41.830 SEV=7 CLIENT/32 RPT=6
>> CLIENT_Timeout(3843ff4, 10)
>>
>> 10-08-2008 06:33:57 Local7.Debug
>> 183.1.119.11 43
>> 10/08/2008 06:31:31.970 SEV=9 CLIENT/24 RPT=14 Number of bytes still
>> needed: 111
>>
>> 10-08-2008 06:33:57 Local7.Debug
>> 183.1.119.11 42
>> 10/08/2008 06:31:31.970 SEV=7 CLIENT/33 RPT=14
>> CLIENT_ProcSvrData(3843ff4,
>> 10)
>>
>> 10-08-2008 06:33:57 Local7.Debug
>> 183.1.119.11 41
>> 10/08/2008 06:31:31.970 SEV=7 CLIENT/31 RPT=14
>> CLIENT_RcvResp(3843ff4, 10)
>>
>> 10-08-2008 06:33:57 Local7.Debug
>> 183.1.119.11 40
>> 10/08/2008 06:31:31.960 SEV=9 CLIENT/24 RPT=13 Number of bytes still
>> needed: 111
>>
>> 10-08-2008 06:33:57 Local7.Debug
>> 183.1.119.11 39
>> 10/08/2008 06:31:31.960 SEV=7 CLIENT/33 RPT=13
>> CLIENT_ProcSvrData(3843ff4,
>> 10)
>>
>> 10-08-2008 06:33:57 Local7.Debug
>> 183.1.119.11 38
>> 10/08/2008 06:31:31.960 SEV=9 CLIENT/22 RPT=27 Received HTTP
>> Header line:
>> Content-Length: 111
>>
>> 10-08-2008 06:33:57 Local7.Debug
>> 183.1.119.11 37
>> 10/08/2008 06:31:31.960 SEV=9 CLIENT/22 RPT=26 Received HTTP
>> Header line:
>> Content-Type: text/html
>>
>> 10-08-2008 06:33:57 Local7.Debug
>> 183.1.119.11 36
>> 10/08/2008 06:31:31.960 SEV=9 CLIENT/22 RPT=25 Received HTTP
>> Header line:
>> Date: Wed, 08 Oct 2008 10:33:57 GMT
>>
>> 10-08-2008 06:33:57 Local7.Debug
>> 183.1.119.11 35
>> 10/08/2008 06:31:31.960 SEV=9 CLIENT/22 RPT=24 Received HTTP
>> Header line:
>> Server: Microsoft-IIS/5.0
>>
>> 10-08-2008 06:33:57 Local7.Debug
>> 183.1.119.11 34
>> 10/08/2008 06:31:31.960 SEV=9 CLIENT/22 RPT=23 Received HTTP
>> Header line:
>> HTTP/1.1 404 Object Not Found
>>
>> 10-08-2008 06:33:57 Local7.Debug
>> 183.1.119.11 33
>> 10/08/2008 06:31:31.960 SEV=7 CLIENT/31 RPT=13
>> CLIENT_RcvResp(3843ff4, 10)
>>
>> 10-08-2008 06:33:57 Local7.Debug
>> 183.1.119.11 31
>> 10/08/2008 06:31:31.830 SEV=9 CLIENT/21 RPT=6 HTTP client sending
>> GET
>> /certsrv/mscep/mscep.dll?operation=GetCACert&message=vpn-------3005
>> HTTP/1.0...
>>
>> 10-08-2008 06:33:57 Local7.Debug
>> 183.1.119.11 30
>> 10/08/2008 06:31:31.830 SEV=7 CLIENT/30 RPT=11
>> CLIENT_SendReq(3843ff4, 10)
>>
>> 10-08-2008 06:33:57 Local7.Debug
>> 183.1.119.11 29
>> 10/08/2008 06:31:31.830 SEV=7 CLIENT/5 RPT=11 No filter configured
>> on
>> interface 2
>>
>> 10-08-2008 06:33:57 Local7.Debug
>> 183.1.119.11 28
>> 10/08/2008 06:31:31.830 SEV=7 CLIENT/37 RPT=11
>> CLIENT_OpenFilter(3843ff4,
>> 10)
>>
>> 10-08-2008 06:33:57 Local7.Debug
>> 183.1.119.11 27
>> 10/08/2008 06:31:31.830 SEV=7 CLIENT/29 RPT=11
>> CLIENT_BuildReq(3843ff4,
>> 10)
>>
>> 10-08-2008 06:33:57 Local7.Debug
>> 183.1.119.11 26
>> 10/08/2008 06:31:31.830 SEV=7 CLIENT/28 RPT=11
>> CLIENT_InitiateRequest(3843ff4, 10)
>>
>>
>>
>> _____
>>
>> From: Farrukh Haroon [mailto:farrukhharoon@gmail.com]
>> Sent: Wednesday, October 08, 2008 5:54 AM
>> To: Tim
>> Cc: security@groupstudy.com
>> Subject: Re: Problems installing CA cert on VPN 3005
>>
>>
>>
>> Did you enable the SCEP traffic both ways on the VPNC Public Filter?
>>
>>
>>
>> Also is your CA fixed now, you had issues with R4 before (SCEP
>> related)?
>>
>> Are you logging to the maximum level for those EVENT classes in the
>> VPNC?
>>
>>
>>
>> Regards
>>
>>
>>
>> Farrukh
>>
>>
>>
>>
>>
>> On Wed, Oct 8, 2008 at 12:46 PM, Tim <ccie2be@nyc.rr.com> wrote:
>>
>> Farrukh,
>>
>> I DID exactly follow that procedure which is why I'm so baffled.
>>
>> I set a hostname and domain name, set the clock, and followed that
>> procedure
>> exactly.
>>
>> From the syslog below, you can see some messages (message 20 and
>> 23) that
>> indicate problems but I don't know what to do to fix those problems.
>>
>> Do you know if there's a way I can get more detailed syslog messages?
>>
>> The docs say to enable syslog classes CERT and CLIENT which I did
>> but as
>> you
>> can see from the output below, it doesn't tell you very much useful
>> info.
>>
>> Any ideas?
>>
>> Thanks so much for all your help.
>>
>> Tim
>>
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
>> Behalf Of
>> Farrukh Haroon
>> Sent: Tuesday, October 07, 2008 10:40 PM
>> To: Tim
>> Cc: security@groupstudy.com
>> Subject: Re: Problems installing CA cert on VPN 3005
>>
>> Please try to follow the step by step procedure as outlined on the
>> following
>> link:
>>
>>
>> http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note0918
>> <
>> http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note091
>> 86a008009406e.shtml<http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a008009406e.shtml
>> >
>>>
>> 6a008009406e.shtml
>>
>> Regards
>>
>> Farrukh
>>
>> On Wed, Oct 8, 2008 at 2:32 AM, Tim <ccie2be@nyc.rr.com> wrote:
>>
>>> Hi Guys,
>>>
>>>
>>>
>>> I'm trying to install the CA cert on a VPN 3005 using SCEP.
>>>
>>>
>>>
>>> The CA is on the same subnet as the public interface of the VPN
>>> 3005.
>>>
>>>
>>>
>>> Both devices can ping each other.
>>>
>>>
>>>
>>> The date/time on both devices are the same.
>>>
>>>
>>>
>>> I have successfully installed the CA cert on other devices in the
>>> network
>>> so
>>> I know the CA is properly configured.
>>>
>>>
>>>
>>> Below is the output of the log file from the VPN 3005.
>>>
>>>
>>>
>>> Can anyone see what the problem is from looking at the log output
>>> below?
>>>
>>>
>>>
>>> If not, any ideas on how to troubleshoot this problem?
>>>
>>>
>>>
>>> Thanks kindly, Tim
>>>
>>>
>>>
>>>
>>>
>>> 1 10/07/2008 19:23:50.590 SEV=7 CLIENT/28 RPT=10
>>> CLIENT_InitiateRequest(38134c4, 9)
>>>
>>> 2 10/07/2008 19:23:50.590 SEV=7 CLIENT/29 RPT=10
>>> CLIENT_BuildReq(38134c4, 9)
>>>
>>> 3 10/07/2008 19:23:50.590 SEV=7 CLIENT/37 RPT=10
>>> CLIENT_OpenFilter(38134c4, 9)
>>>
>>> 4 10/07/2008 19:23:50.590 SEV=7 CLIENT/5 RPT=10
>>> No filter configured on interface 2
>>>
>>> 5 10/07/2008 19:23:50.590 SEV=7 CLIENT/30 RPT=10
>>> CLIENT_SendReq(38134c4, 9)
>>>
>>> 6 10/07/2008 19:23:50.590 SEV=9 CLIENT/21 RPT=5
>>> HTTP client sending GET
>>> /certsrv/mscep/mscep.dll?operation=GetCACert&message=vpn
>>> ---3005 HTTP/1.0
>>>
>>> 8 10/07/2008 19:23:50.790 SEV=7 CLIENT/31 RPT=11
>>> CLIENT_RcvResp(38134c4, 9)
>>>
>>> 9 10/07/2008 19:23:50.790 SEV=9 CLIENT/22 RPT=18
>>> Received HTTP Header line: HTTP/1.1 404 Object Not Found
>>>
>>> 10 10/07/2008 19:23:50.790 SEV=9 CLIENT/22 RPT=19
>>> Received HTTP Header line: Server: Microsoft-IIS/5.0
>>>
>>> 11 10/07/2008 19:23:50.790 SEV=9 CLIENT/22 RPT=20
>>> Received HTTP Header line: Date: Tue, 07 Oct 2008 23:26:13 GMT
>>>
>>> 12 10/07/2008 19:23:50.790 SEV=9 CLIENT/22 RPT=21
>>> Received HTTP Header line: Content-Type: text/html
>>>
>>> 13 10/07/2008 19:23:50.790 SEV=9 CLIENT/22 RPT=22
>>> Received HTTP Header line: Content-Length: 111
>>>
>>> 14 10/07/2008 19:23:50.790 SEV=7 CLIENT/33 RPT=11
>>> CLIENT_ProcSvrData(38134c4, 9)
>>>
>>> 15 10/07/2008 19:23:50.790 SEV=9 CLIENT/24 RPT=11
>>> Number of bytes still needed: 111
>>>
>>> 16 10/07/2008 19:23:50.790 SEV=7 CLIENT/31 RPT=12
>>> CLIENT_RcvResp(38134c4, 9)
>>>
>>> 17 10/07/2008 19:23:50.790 SEV=7 CLIENT/33 RPT=12
>>> CLIENT_ProcSvrData(38134c4, 9)
>>>
>>> 18 10/07/2008 19:23:50.790 SEV=9 CLIENT/24 RPT=12
>>> Number of bytes still needed: 111
>>>
>>> 19 10/07/2008 19:24:00.590 SEV=7 CLIENT/32 RPT=5
>>> CLIENT_Timeout(38134c4, 9)
>>>
>>> 20 10/07/2008 19:24:00.590 SEV=4 CLIENT/7 RPT=5
>>> Transaction timed out
>>>
>>> 21 10/07/2008 19:24:00.590 SEV=7 CLIENT/34 RPT=10
>>> CLIENT_BuildResponse(38134c4, 9)
>>>
>>> 22 10/07/2008 19:24:00.590 SEV=7 CLIENT/35 RPT=10
>>> CLIENT_Callback(38134c4, 9)
>>>
>>> 23 10/07/2008 19:24:00.590 SEV=4 CERT/73 RPT=10
>>> An error occurred during the transport of the SCEP message via HTTP.
>>> See the CLIENT event class for more information.
>>>
>>> 25 10/07/2008 19:24:00.590 SEV=7 CLIENT/36 RPT=10
>>> CLIENT_Cleanup(38134c4, 9)
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:20 ARST