Core issue

On a VPN Concentrator that uses a CA server for the authentication of VPN Clients, this log message indicates that the VPN Client is not authenticated even if the certification validation is successful. This is because the time on the VPN Concentrator and the time on the CA server are too far out of sync.

    1407 10/18/2006 15:09:56.900 SEV=5 IKE/79 RPT=13 10.1.1.28

    Group [ipseccert]

    Validation of certificate successful

    (CN=client2, SN=040DF7E8000000000010)

    1409 10/18/2006 15:09:56.900 SEV=7 IKEDBG/0 RPT=9259 10.1.1.28

    Group [ipseccert]

    peer ID type 9 received (DER_ASN1_DN)

The Cisco VPN client also shows the "unexpected software error" error message indicated here:

     277  16:57:49.328 10/18/06 Sev=Warning/2  IKE/0xE30000A5

     Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator Navigator:2046)

    This is because the time on the VPN Concentrator and the time on the CA server are too far out of sync.

Resolution

In order to resolve this issue, ensure that the time is configured properly on both the VPN Concentrator and the CA server. The use of Network Time Protocol (NTP) on both the VPN Conentrator and the CA server allows you to keep time in sync.

Clocks in many devices tend to drift a few seconds per day. Exact time synchronization is important for systems on a network so that protocol timestamps and events are accurate. Digital certificates, for example, carry a timestamp that determines a time frame for their validity. An inaccurate time or date can prevent connection.

Refer to the NTP Servers in order to configure NTP.

Refer to Network Time Protocol: Best Practices White Paper for more infomation on NTP.