Client authentication problem with ACE module

Unanswered Question
May 13th, 2009
User Badges:


I'm trying to configure the SSL client authentication in ACE module. The config looks like that

crypto authgroup CLI_AUTHENTICATION

cert CA

ssl-proxy service SSL-test


cert cert.pem

key key.pem

The config works ok, without the client authentication feature.

The CA cert is a CA certificate that signed the test user certificate.

When I've tried to connect via the IE, the browser is asking me which certificate I'd like to use, but when I choose the correct one, I receive the information that the session could not be established.

I've checked the logs on the ACE, but there is no information about SSL problems.

I've also tried to use "debug ssl all", but it does not return any output.

Does anybody know why it could not work?

Thanks in advance



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sachinga.hcl Wed, 05/13/2009 - 17:40
User Badges:
  • Silver, 250 points or more

HI Luckaszk,

Which mode you are using routed or bridged or one arm kindly tell. Also have you configure chaingroup and parameter map for the same.

As it is not clear from your config. It is not sufficient to comment on right now.

Can you send the output of the following commands to suggest more on your config

ACE-1/routed# show crypto files

ACE-1/routed# show crypto certificate all

ACE-1/routed# show crypto key all

ACE-1/routed# show crypto session

ACE-1/routed# show crypto hardware

ACE-1/routed# show service-policy detail

Kindly find below the SSL config example:

All examples:

Sachin Garg

lukaszkhalil Thu, 05/21/2009 - 05:19
User Badges:


I'm using the routed mode. I've configured the chaingroup as below

crypto chaingroup test

cert CA

About what parameter-map do you talking about ? I have not found any information that it is required.

The rest of the outputs are attached.

litrenta Tue, 05/19/2009 - 11:51
User Badges:
  • Cisco Employee,

do "show stats crypto server" before and after clioent attempt see which counter increments. (ssl alert) Make sure clock on supervisor has correct date to avoid not before not after check of cert.

lukaszkhalil Thu, 05/21/2009 - 05:47
User Badges:


I've done the test, and it seems that I hit two alerts



Is there any method, except sniffing to check what is wrong with this Handshake ?

I'm attaching the whole output before and after the attempt



This Discussion