Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Certificate on router and SDM access?

I have a 877 router running the latest 12.4(22)T Advanced IP Services. I have an issue using SDM over HTTPS where the IPS module fails to work. If I connect over HTTP with SDM it does work. Previously I had 12.4(15)T7 and SDM over HTTPS worked perfectly.

The router has a certificate installed from a Microsoft Windows 2003 Enterprise CA with the SCEP addon istalled. The IPSec (offline request) template has been modified to include 'Server Authentication'. I have debugged crypto & HTTP and the following messages seem to indicate a certificate issue:

1200960: Dec 1 15:19:03.540 GMT: select crypto engine: ce_engine[3] does not accept the capabilities

1200961: Dec 1 15:19:14.892 GMT: select crypto engine: ce_engine[1] does not accept the capabilities

1200962: Dec 1 15:19:14.892 GMT: select crypto engine: ce_engine[3] does not accept the capabilities

1200963: Dec 1 15:19:14.892 GMT: crypto_engine: Decrypt with private key

1200964: Dec 1 15:19:14.896 GMT: select crypto engine: ce_engine[1] does not accept the capabilities

1200965: Dec 1 15:19:14.896 GMT: select crypto engine: ce_engine[3] does not accept the capabilities

1200966: Dec 1 15:19:14.932 GMT: select crypto engine: ce_engine[1] does not accept the capabilities

1200967: Dec 1 15:19:14.932 GMT: select crypto engine: ce_engine[3] does not accept the capabilities

1200968: Dec 1 15:19:15.124 GMT: %HTTPS: SSL read fail (-6992)

1200969: Dec 1 15:19:23.550 GMT: select crypto engine: ce_engine[3] does not accept the capabilities

1201104: Dec 1 15:28:18.234 GMT: %HTTPS: SSL read fail (-6992)

I can connect to the router via a browser using HTTPS and the pages appear correctly, however the messages appear in debug as above.

Can anyone shed any light on what is or isn't happening?

Andy

1 REPLY

Re: Certificate on router and SDM access?

I have been looking into this a bit more today as I have had some free time. I have zeroized the crypto key, removed the trustpoint and all certificates associated with it and regenerated the RSA keypair (general-usage-key modulus 1024). I have then attempted to use SDM again and it still fails when discovering the router at the point where it reads the crypto configuration. So it is the same behaviour whether there is an enrolled certificate or a self-signed one, therefore eliminating my CA and the Certificate template.

I am convinced this is a 12.4(22)T bug or new feature. Has anyone else experience with 12.4(22)T and Crypto/IPS with SDM 2.5?

Andy

935
Views
0
Helpful
1
Replies
CreatePlease to create content