Certificate on router and SDM access?

Unanswered Question
Dec 1st, 2008
User Badges:
  • Gold, 750 points or more

I have a 877 router running the latest 12.4(22)T Advanced IP Services. I have an issue using SDM over HTTPS where the IPS module fails to work. If I connect over HTTP with SDM it does work. Previously I had 12.4(15)T7 and SDM over HTTPS worked perfectly.


The router has a certificate installed from a Microsoft Windows 2003 Enterprise CA with the SCEP addon istalled. The IPSec (offline request) template has been modified to include 'Server Authentication'. I have debugged crypto & HTTP and the following messages seem to indicate a certificate issue:


1200960: Dec 1 15:19:03.540 GMT: select crypto engine: ce_engine[3] does not accept the capabilities

1200961: Dec 1 15:19:14.892 GMT: select crypto engine: ce_engine[1] does not accept the capabilities

1200962: Dec 1 15:19:14.892 GMT: select crypto engine: ce_engine[3] does not accept the capabilities

1200963: Dec 1 15:19:14.892 GMT: crypto_engine: Decrypt with private key

1200964: Dec 1 15:19:14.896 GMT: select crypto engine: ce_engine[1] does not accept the capabilities

1200965: Dec 1 15:19:14.896 GMT: select crypto engine: ce_engine[3] does not accept the capabilities

1200966: Dec 1 15:19:14.932 GMT: select crypto engine: ce_engine[1] does not accept the capabilities

1200967: Dec 1 15:19:14.932 GMT: select crypto engine: ce_engine[3] does not accept the capabilities

1200968: Dec 1 15:19:15.124 GMT: %HTTPS: SSL read fail (-6992)

1200969: Dec 1 15:19:23.550 GMT: select crypto engine: ce_engine[3] does not accept the capabilities

1201104: Dec 1 15:28:18.234 GMT: %HTTPS: SSL read fail (-6992)


I can connect to the router via a browser using HTTPS and the pages appear correctly, however the messages appear in debug as above.

Can anyone shed any light on what is or isn't happening?


Andy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
andrew.butterworth Fri, 12/05/2008 - 06:05
User Badges:
  • Gold, 750 points or more

I have been looking into this a bit more today as I have had some free time. I have zeroized the crypto key, removed the trustpoint and all certificates associated with it and regenerated the RSA keypair (general-usage-key modulus 1024). I have then attempted to use SDM again and it still fails when discovering the router at the point where it reads the crypto configuration. So it is the same behaviour whether there is an enrolled certificate or a self-signed one, therefore eliminating my CA and the Certificate template.


I am convinced this is a 12.4(22)T bug or new feature. Has anyone else experience with 12.4(22)T and Crypto/IPS with SDM 2.5?


Andy

Actions

This Discussion