Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
344
Views
0
Helpful
1
Replies

VPN Concentrator and Windows 2000 Server CA

CRISTIAN LACATUS
Level 1
Level 1

‎02-03-2006 06:57 PM

Hello

I have a VPN 3005 concentrator, running image version 4.1.7.F

A Windows 2000 Server is configured as CA with SCEP. Cisco routers and firewalls can authenticate the CA, enroll, request and retrieve certificates using SCEP. The CA is reachable via URL http://x.x.x.x/certsrv/mscep/mscep.dll . The CA was configured without password.

All seemed to work well, until I connect the VPN 3000 concentrator

The CA is installed on the public side of the concentrator. I want to install a certificate for CA via SCEP (menu: Admin, Certificate Management, Enroll). The operation fails with this message

“An error has occurred while attempting to perform the operation. Error retrieving certificates: Invalid HTTP response.”

Just to make sure the filter applied to outside interface does not stop traffic, I applied the default Private filter (permit any in and out) to the public interface.

The CA authentication continues to fail.

Syslog messages

1 12/04/2005 18:53:26.300 SEV=7 CLIENT/28 RPT=2

CLIENT_InitiateRequest(66f1c78, 3)

2 12/04/2005 18:53:26.300 SEV=7 CLIENT/29 RPT=2

CLIENT_BuildReq(66f1c78, 3)

3 12/04/2005 18:53:26.300 SEV=7 CLIENT/37 RPT=2

CLIENT_OpenFilter(66f1c78, 3)

4 12/04/2005 18:53:26.300 SEV=7 CLIENT/30 RPT=2

CLIENT_SendReq(66f1c78, 3)

5 12/04/2005 18:53:26.300 SEV=9 CLIENT/21 RPT=2

HTTP client sending GET /certsrv/mscep/mscep.dll?operation=GetCACert HTTP/1.0

6 12/04/2005 18:53:26.500 SEV=7 CLIENT/31 RPT=15

CLIENT_RcvResp(66f1c78, 3)

7 12/04/2005 18:53:26.500 SEV=8 CLIENT/18 RPT=1

Waiting for remainder of HTTP header

8 12/04/2005 18:53:26.500 SEV=7 CLIENT/33 RPT=15

CLIENT_ProcSvrData(66f1c78, 3)

9 12/04/2005 18:53:26.500 SEV=9 CLIENT/24 RPT=15

Number of bytes still needed: unknown

10 12/04/2005 18:53:36.300 SEV=7 CLIENT/32 RPT=1

CLIENT_Timeout(66f1c78, 3)

11 12/04/2005 18:53:36.300 SEV=4 CLIENT/7 RPT=3

Transaction timed out

12 12/04/2005 18:53:36.300 SEV=7 CLIENT/34 RPT=2

CLIENT_BuildResponse(66f1c78, 3)

13 12/04/2005 18:53:36.300 SEV=7 CLIENT/35 RPT=2

CLIENT_Callback(66f1c78, 3)

14 12/04/2005 18:53:36.300 SEV=4 CERT/73 RPT=4

An error occurred during the transport of the SCEP message via HTTP.

See the CLIENT event class for more information.

16 12/04/2005 18:53:36.310 SEV=7 CLIENT/36 RPT=2

CLIENT_Cleanup(66f1c78, 3)

An Ethereal capture taken on the CA server shows the VPN opening an HTTP session, and trying to “GET /certsrv/mscep/mscep.dll?operation=GetCACert HTTP/1.0”. The CA server responds with a TCP FIN.

I wonder if somebody had similar problems.

Thank you,

Cristian

Labels:
0 Helpful
1 Reply 1

CRISTIAN LACATUS
Level 1
Level 1

‎02-06-2006 10:19 AM

Hello

I resolved my problem.

In the SCEP enrolment page I did not specify the CA descriptor name. The text beside the CA descriptor field is “Required for some PKI configurations” – it is definitely required for Microsoft SCEP implementation.

VPN 3000 does an HTTP GET command against the Windows 2000 server

*** Good request (I specified the CA descriptor) ***

110 12/07/2005 12:23:58.940 SEV=9 CLIENT/21 RPT=4

HTTP client sending GET /certsrv/mscep/mscep.dll?operation=GetCACert&message=myca HTTP/1.0

*** Bad request (CA descriptor field empty) ***

78 12/07/2005 12:20:07.620 SEV=9 CLIENT/21 RPT=2

HTTP client sending GET /certsrv/mscep/mscep.dll?operation=GetCACert HTTP/1.0

Note how the “operation” parameter sent to mscep.dll changes.

Thank you,

Cristian

0 Helpful
Customers Also Viewed These Support Documents