12-01-2008 07:27 AM - edited 03-06-2019 02:44 AM
I have a 877 router running the latest 12.4(22)T Advanced IP Services. I have an issue using SDM over HTTPS where the IPS module fails to work. If I connect over HTTP with SDM it does work. Previously I had 12.4(15)T7 and SDM over HTTPS worked perfectly.
The router has a certificate installed from a Microsoft Windows 2003 Enterprise CA with the SCEP addon istalled. The IPSec (offline request) template has been modified to include 'Server Authentication'. I have debugged crypto & HTTP and the following messages seem to indicate a certificate issue:
1200960: Dec 1 15:19:03.540 GMT: select crypto engine: ce_engine[3] does not accept the capabilities
1200961: Dec 1 15:19:14.892 GMT: select crypto engine: ce_engine[1] does not accept the capabilities
1200962: Dec 1 15:19:14.892 GMT: select crypto engine: ce_engine[3] does not accept the capabilities
1200963: Dec 1 15:19:14.892 GMT: crypto_engine: Decrypt with private key
1200964: Dec 1 15:19:14.896 GMT: select crypto engine: ce_engine[1] does not accept the capabilities
1200965: Dec 1 15:19:14.896 GMT: select crypto engine: ce_engine[3] does not accept the capabilities
1200966: Dec 1 15:19:14.932 GMT: select crypto engine: ce_engine[1] does not accept the capabilities
1200967: Dec 1 15:19:14.932 GMT: select crypto engine: ce_engine[3] does not accept the capabilities
1200968: Dec 1 15:19:15.124 GMT: %HTTPS: SSL read fail (-6992)
1200969: Dec 1 15:19:23.550 GMT: select crypto engine: ce_engine[3] does not accept the capabilities
1201104: Dec 1 15:28:18.234 GMT: %HTTPS: SSL read fail (-6992)
I can connect to the router via a browser using HTTPS and the pages appear correctly, however the messages appear in debug as above.
Can anyone shed any light on what is or isn't happening?
Andy
12-05-2008 06:05 AM
I have been looking into this a bit more today as I have had some free time. I have zeroized the crypto key, removed the trustpoint and all certificates associated with it and regenerated the RSA keypair (general-usage-key modulus 1024). I have then attempted to use SDM again and it still fails when discovering the router at the point where it reads the crypto configuration. So it is the same behaviour whether there is an enrolled certificate or a self-signed one, therefore eliminating my CA and the Certificate template.
I am convinced this is a 12.4(22)T bug or new feature. Has anyone else experience with 12.4(22)T and Crypto/IPS with SDM 2.5?
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide