I have a 877 router running the latest 12.4(22)T Advanced IP Services. I have an issue using SDM over HTTPS where the IPS module fails to work. If I connect over HTTP with SDM it does work. Previously I had 12.4(15)T7 and SDM over HTTPS worked perfectly.
The router has a certificate installed from a Microsoft Windows 2003 Enterprise CA with the SCEP addon istalled. The IPSec (offline request) template has been modified to include 'Server Authentication'. I have debugged crypto & HTTP and the following messages seem to indicate a certificate issue:
1200960: Dec 1 15:19:03.540 GMT: select crypto engine: ce_engine does not accept the capabilities
1200961: Dec 1 15:19:14.892 GMT: select crypto engine: ce_engine does not accept the capabilities
1200962: Dec 1 15:19:14.892 GMT: select crypto engine: ce_engine does not accept the capabilities
1200963: Dec 1 15:19:14.892 GMT: crypto_engine: Decrypt with private key
1200964: Dec 1 15:19:14.896 GMT: select crypto engine: ce_engine does not accept the capabilities
1200965: Dec 1 15:19:14.896 GMT: select crypto engine: ce_engine does not accept the capabilities
1200966: Dec 1 15:19:14.932 GMT: select crypto engine: ce_engine does not accept the capabilities
1200967: Dec 1 15:19:14.932 GMT: select crypto engine: ce_engine does not accept the capabilities
1200968: Dec 1 15:19:15.124 GMT: %HTTPS: SSL read fail (-6992)
1200969: Dec 1 15:19:23.550 GMT: select crypto engine: ce_engine does not accept the capabilities
1201104: Dec 1 15:28:18.234 GMT: %HTTPS: SSL read fail (-6992)
I can connect to the router via a browser using HTTPS and the pages appear correctly, however the messages appear in debug as above.
Can anyone shed any light on what is or isn't happening?
I have been looking into this a bit more today as I have had some free time. I have zeroized the crypto key, removed the trustpoint and all certificates associated with it and regenerated the RSA keypair (general-usage-key modulus 1024). I have then attempted to use SDM again and it still fails when discovering the router at the point where it reads the crypto configuration. So it is the same behaviour whether there is an enrolled certificate or a self-signed one, therefore eliminating my CA and the Certificate template.
I am convinced this is a 12.4(22)T bug or new feature. Has anyone else experience with 12.4(22)T and Crypto/IPS with SDM 2.5?
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...