Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

revocation check problem

Hi,

I have an IPsec VPN module on 7606 router. Authentication is based on digital certificate.  But there is a problem with revocation check. When revocation check is set to CRL, VPN connection fails when router try to get crl from web server. Debugging output is shown by the follow:

E ../cert-c/source/crlobj.c(384) : Error #705h

CRYPTO_PKI: status = 1797: failed to set crl ber

CRYPTO_PKI: transaction Unknown completed

CRYPTO_PKI: Poll CRL callback

CRYPTO_PKI:  Blocking chain verification callback received status: 105

CRYPTO_PKI: Certificate not validated

When revocation check is set to none, VPN connection established successfully.

thanks,

Hedyeh

8 REPLIES
Cisco Employee

Re: revocation check problem

Hedyeh,

Can you attach a decode of that certificate you're receiving? Can you show certificate on 7600 side?

What version are you running on the 7600?

Which debugs did you enable?

deb cry pk m

deb cry pki t

(If available) deb cry pki v

Those would be the ones to enable.

Marcin

New Member

Re: revocation check problem

Marcin,

do you men CRL or certificate? there is no problem with certificate, because with this certificate without revocation check VPN connection estableshid, also with the another certificates there is same problem.

....#show debugging
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto IPSEC debugging is on
Crypto Key Management Interface debugging is on
PKI:
Crypto PKI Msg debugging is on
Crypto PKI Trans debugging is on
Crypto PKI callbacks debugging is on
verbose debug output debugging is on
Crypto PKI Certificate Server debugging is on
.....#deb
....#debug cr
....#debug crypto pk
....#debug crypto pki ?
API           PKI API
callbacks     PKI callbacks
messages      PKI Input/Output Messages
server        CA Server
transactions  PKI transactions

Cisco Employee

Re: revocation check problem

Hedyah,

Well whole certificate would be interesting but indeed I want to know what CDPs are specified and what the CA is. What software are you running on the 7600.

To see if we're making a request we could also try to debug TCP, but not if we're already connecting via telnet/ssh to get logs.

Marcin

New Member

Re: revocation check problem

Marcin,

IOS version: s72033-adventerprisek9_wan-mz.122-33.SRA7

Cisco Employee

Re: revocation check problem

Well I did a quick check for bugs, but I have to say I'd need more info... SRA is old on top

Can you show me the CDPs from certificates? Do they contain DNS names or only IP addresses?

Does SRA have "optional" under crl?

Marcin

New Member

Re: revocation check problem

Dear  Marcin,

I'm really appreciate for your attention. I'm sorry for hiding some information it's because of our security policies.

....#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number: 0095
Certificate Usage: General Purpose
Issuer:
    cn=......
    ou=......
    o=.....
    l=.....
    st=.....
    c=.....
Subject:
    Name: .......
    IP Address: .......
Serial Number: 0001AE14
    serialNumber=1AE14+ipaddress=.....+hostname=.......
    cn=.....
CRL Distribution Points:
http://10.3.71.1/crl.crl
Validity Date:
    start date: 08:40:01  May 3 2010
    end   date: 09:40:01  May 3 2011

CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Not Set
Issuer:
    cn=...
    ou=...
    o=...
    l=...
    st=...
    c=...
Subject:
    cn=....
    ou=...
    o=....
    l=....
    st=....
    c=...
Validity Date:
    start date: 20:21:10  May 18 2008
    end   date: 20:21:10  May 23 2011

///////////////////////////////

R-7606-1(ca-trustpoint)#revocation-check crl ?
none  Ignore revocation check
ocsp  Revocation check by OCSP

//////////////////////////////////////////////

/////part of debugging output

CRYPTO_PKI: Retreive CRL using HTTP URI

CRYPTO_PKI: status = 0: poll CRL

CRYPTO_PKI: locked trustpoint ....., refcount is 1

CRYPTO_PKI: can not resolve server name/IP address

CRYPTO_PKI: Using unresolved IP Address 10.3.71.1

CRYPTO_PKI: http connection opened

CRYPTO_PKI: unlocked trustpoint ....., refcount is 0

CRYPTO_PKI: locked trustpoint ....., refcount is 1

CRYPTO_PKI: unlocked trustpoint ..., refcount is 0

CRYPTO_PKI: HTTP response header:

HTTP/1.1 200 OK

Content-Length: 1763

Content-Type: application/pkix-crl

Last-Modified: Tue, 12 Oct 2010 06:28:52 GMT

Accept-Ranges: bytes

ETag: "3c981bdd669cb1:1d2"

Server: Microsoft-IIS/6.0

Date: Mon, 18 Oct 2010 10:07:19 GMT

Connection: close

1441276: Oct 18 13:37:19.961 : CRYPTO_PKI: CRL data

     2D 2D 2D 2D 2D 42 45 47 49 4E 20 58 35 30 39 20

     43 52 4C 2D 2D 2D 2D 2D 0A 4D 49 49 45 37 6A 43

     ....

     ....

     57 31 62 42 6A 45 51 39 71 6B 71 0A 2D 2D 2D 2D

     2D 45 4E 44 20 58 35 30 39 20 43 52 4C 2D 2D 2D

     2D 2D 0A                                          

E ../cert-c/source/crlobj.c(384) : Error #705h

CRYPTO_PKI: status = 1797: failed to set crl ber

CRYPTO_PKI: transaction Unknown completed

CRYPTO_PKI: Poll CRL callback

CRYPTO_PKI:  Blocking chain verification callback received status: 105

CRYPTO_PKI: Certificate not validated

%CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 78.129.167.95 is bad: certificate invalid

ISAKMP:(68730):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

ISAKMP:(68730):Old State = IKE_R_MM5  New State = IKE_R_MM5

////

again i remind certificate is ok

thanks,

Hedyeh

Cisco Employee

Re: revocation check problem

Hedyeh,

Please decode that CRL. If you're sure cert is valid, we need to see what's inside that CRL.

We'd also need a decode of presented cert not our cert (yet).

Marcin

New Member

revocation check problem

Hello Hedyeh,

I am facing the same problem. Have you found any solution back then?

Thanks,

Narcis

1686
Views
0
Helpful
8
Replies
CreatePlease to create content