Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1140
Views
0
Helpful
1
Replies

Certificate on router and SDM access?

andrew.butterworth
Level 7
Level 7

‎12-01-2008 07:27 AM - edited ‎03-06-2019 02:44 AM

I have a 877 router running the latest 12.4(22)T Advanced IP Services. I have an issue using SDM over HTTPS where the IPS module fails to work. If I connect over HTTP with SDM it does work. Previously I had 12.4(15)T7 and SDM over HTTPS worked perfectly.

The router has a certificate installed from a Microsoft Windows 2003 Enterprise CA with the SCEP addon istalled. The IPSec (offline request) template has been modified to include 'Server Authentication'. I have debugged crypto & HTTP and the following messages seem to indicate a certificate issue:

1200960: Dec 1 15:19:03.540 GMT: select crypto engine: ce_engine[3] does not accept the capabilities

1200961: Dec 1 15:19:14.892 GMT: select crypto engine: ce_engine[1] does not accept the capabilities

1200962: Dec 1 15:19:14.892 GMT: select crypto engine: ce_engine[3] does not accept the capabilities

1200963: Dec 1 15:19:14.892 GMT: crypto_engine: Decrypt with private key

1200964: Dec 1 15:19:14.896 GMT: select crypto engine: ce_engine[1] does not accept the capabilities

1200965: Dec 1 15:19:14.896 GMT: select crypto engine: ce_engine[3] does not accept the capabilities

1200966: Dec 1 15:19:14.932 GMT: select crypto engine: ce_engine[1] does not accept the capabilities

1200967: Dec 1 15:19:14.932 GMT: select crypto engine: ce_engine[3] does not accept the capabilities

1200968: Dec 1 15:19:15.124 GMT: %HTTPS: SSL read fail (-6992)

1200969: Dec 1 15:19:23.550 GMT: select crypto engine: ce_engine[3] does not accept the capabilities

1201104: Dec 1 15:28:18.234 GMT: %HTTPS: SSL read fail (-6992)

I can connect to the router via a browser using HTTPS and the pages appear correctly, however the messages appear in debug as above.

Can anyone shed any light on what is or isn't happening?

Andy

Labels:
0 Helpful
1 Reply 1

andrew.butterworth
Level 7
Level 7

‎12-05-2008 06:05 AM

I have been looking into this a bit more today as I have had some free time. I have zeroized the crypto key, removed the trustpoint and all certificates associated with it and regenerated the RSA keypair (general-usage-key modulus 1024). I have then attempted to use SDM again and it still fails when discovering the router at the point where it reads the crypto configuration. So it is the same behaviour whether there is an enrolled certificate or a self-signed one, therefore eliminating my CA and the Certificate template.

I am convinced this is a 12.4(22)T bug or new feature. Has anyone else experience with 12.4(22)T and Crypto/IPS with SDM 2.5?

Andy

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card