Where are you seeing 8.2? I just checked CCO and don't see it.
On May 2, 2009, at 1:26 AM, Farrukh Haroon wrote:
> Btw, we have ASA 8.2 out now. Also there is an IPS module for the
> 5505, but
> it does not support all the features (otherwise it would be a really
> nice
> addition to the CCIE Security home lab):
>
> http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-525310.html
>
> *Q.* How is the Cisco AIP SSC-5 feature set different from the Cisco
> AIP
> SSM-10, AIP SSM-20, and AIP SSM-40?
> *A.* The Cisco AIP SSC-5 software is based on the same IPS software
> as that
> of the Cisco AIP SSM-10, AIP-SSM20, and AIP-SSM40. However, the
> Cisco AIP
> SSC-5 does not support Cisco Global Correlation, Cisco Anomaly
> Detection,
> virtualization, and custom signature support. Customers requiring
> these
> features should consider the Cisco AIP SSM-10, AIP SSM-20, and AIP
> SSM-40
> modules.
> And of course we have IPS 7.0 out now as well :)
>
> Regards
>
> Farrukh
>
>
> On Fri, May 1, 2009 at 10:48 PM, Sadiq Yakasai
> <sadiqtanko_at_gmail.com> wrote:
>
>> Right, I have some good news for anyone interested in this one:
>>
>> After digging up some information, this is whats going on:
>>
>> As of ASA Release 8.0.2 for IPSec (8.0.3.4 for SSL) connections if
>> the
>> KeyUsage extension is present it must have the Digital Signature
>> bit set.
>>
>> Option 1: If the ExtendedKeyUsage extension is present it must
>> contain
>> one of the
>> following for IPsec:
>> * id-kp-clientAuth 1.3.6.1.5.5.7.3.2
>> * id-kp-ipsecEndSystem 1.3.6.1.5.5.7.3.5
>> * id-kp-ipsecTunnel 1.3.6.1.5.5.7.3.6
>> * id-kp-ipsecUser 1.3.6.1.5.5.7.3.7
>>
>> Option 2: You can disable the check in the trustpoint configuration
>> with
>> the
>> following (the default is "no ignore-ipsec-keyusage" and "no
>> ignore-ssl-keyusage") :
>> crypto ca trustpoint <trustpointname>
>> ignore-ipsec-keyusage
>> ignore-ssl-keyusage
>>
>> Since the new Lab exam has ver 8.x on it, this is one that folks
>> would like
>> to keep an eye out for I guess.
>>
>> HTH a little,
>> Sadiq
>>
>> On Thu, Apr 30, 2009 at 6:12 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>
>> wrote:
>>
>>> Just to let you guys know... do not use this version of code on the
>>> ASA5510 with L2L VPN config with RSA-SIG!! It would keep telling
>>> you on
>> the
>>> debugs that:
>>>
>>> %ASA-7-717025: Validating certificate chain containing 1
>>> certificate(s).
>>> %ASA-7-717029: Identified client certificate within certificate
>>> chain.
>>> serial number: 1FF247D7000000000110, subject name:
>>> hostname=R5.ccie.com<
>> http://r5.ccie.com/>
>>> .
>>> %ASA-7-717030: Found a suitable trustpoint CCIECA to validate
>> certificate.
>>> %ASA-3-717009: Certificate validation failed. Peer certificate key
>>> usage
>> is
>>> invalid, serial number: 1FF247D7000000000110, subject name:
>>> hostname=
>>> R5.ccie.com <http://r5.ccie.com/>.
>>> %ASA-3-717027: Certificate chain failed validation. Certificate
>>> chain is
>>> either invalid or not authorized.
>>> %ASA-5-713904: Group = R5.ccie.com <http://r5.ccie.com/>, IP =
>> 150.1.5.5,
>>> Peer Certificate authentication failed: General Error
>>>
>>> This is all when you have EVERYTHING configured absolutely
>>> correct! All i
>>> did was downgrade the appliance to 7.2(4) and it works!
>>>
>>> Does anyone know whats going on here? :-)
>>>
>>> --
>>> CCIE #19963
>>>
>>
>>
>>
>> --
>> CCIE #19963
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sat May 02 2009 - 07:40:16 ART
This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:41 ART