Cisco Routers :: SA540 And SSL Certificate From DigiCert?
Jan 26, 2012Installing a SSL certificate from DigiCert on a SA540 router? The SSL certificate is a wildcard variant (*.example.com).
View 1 RepliesInstalling a SSL certificate from DigiCert on a SA540 router? The SSL certificate is a wildcard variant (*.example.com).
View 1 RepliesWe have a Cisco SA540. It has been an extremely reliable UTM router. Other than SSL VPN not working for Mac OSX, we are very pleased with the unit.We have a 3 year contract for IPS, a 3 year contract for Trend Micro Protectlink Web, and a 3 year contract for Small Business Support Service for the unit.Right now we are trying to setup the VIP functionality but it is not going very well. To sum it up in a few words, we cannot get the SA540 to prompt the SSL VPN users to enter the 6-digit access code.
We setup an account at Verisign and requested a trial for VIP. They promptly setup the trial account. Getting everything setup was a breeze. The Verisign website is very well documented. They even had specific instructions for Cisco SA500 Series routers!!! We were very impressed with Verisign's implemenation. We are able to get our SA540 to talk to Verisign (basically, when we activate or deactivate an SSL VPN VIP user in the SA540 web GUI, you can immediately see it enabling or disabling the user on the Verisign website... it is very cool).Unfortunately no matter what we do, we cannot get the SA540 to prompt the SSL VPN user to enter the one time 6-digit code. In this case, we are using Verisign's iPhone app called 'VIP Access'.
I called into the SBSC and talked to a guy. I felt really bad for him. He used WebEx to log into my desktop and I showed, and explained, to him how all of it worked (setting up VIP in the SA540 web GUI, as well as, and the Verisign website). He had no clue about Verisign, VIP, or the two-factor authentacation concept at all. I told him that he needed to escalate my case to the SA500 Series team, but of course he had to try. He was supposed to call me back yesterday or today. I am sure he is dreading calling me back as he probably still has no clue.
How to use the VIP functionality? Or how it works and set it up? We would like to at least get it to work before our 30-day trial period is up. I have a distinct feeling that the functionality used to work, but Cisco hasn't kept up the firmware with all the latest back-end API calls to Verisign or something similar.
We require UPnP (mainly for an in-house built FTP Server app that uses UPnP to dynamically open/close ports for Passive FTP mode) and have found it's implementation in the SA540 is unreliable. Sometimes UPnP works after a reboot, sometimes it doesn't. When it does work after a reboot it will eventually stop working. Going into the web GUI and turning UPnP off and back on always fixes for a while.
Is this a known issue with the SA500 Series routers? We had an RV220W deployed first, but it's UPnP implementation was even more unreliable. That said, it seems that the latest Beta firmware version for the RV220W has fixed the issue. Could it be that the same fix needs to be applied to the SA540?I was planning on opening a cause with the CSBC at some point like I did with the RV220W, but I'd rather not spent the time doing so if the this is a known issue.
I want to build a "hub and spoke" topology for one of my clients. For the "HUB" , I'm planning to use an SA540, with a static public IP provided by a 4Mb SDSL. For the "spokes" (21 at the moment), I'm planning to use RV120. They will be behind a NAT, provided by a "SAGEM LIVEBOX", and a static public IP. The boss will connect to the HUB using Cisco VPN client, or quickVPN, and get access to all the spokes. Some spokes will have to connect to each other, via the HUB. I searched a long time on this forum and reading documentation, but I didn't find at the moment the answer to my question : is this topology suitable with the choosen hardwares ?
View 7 Replies View RelatedWe have just purchased a license L-PL-GW-100MAX-3= Protect Link Gateway: Unlimited Web + 100 Max Email Seats,3YR. I found that it does not include IPS license. I cannot find anywhere where I can purchase an IPS license for SA540 gateway. It seems to be available only as a bundled product when purchasing the hardware.
View 1 Replies View RelatedLooking for routing with an SA540 router connecting to corporate VPN.We have an odd configuration that is beyond the scope of what I have configured previously with these devices..I am trying to configure the routing to the additional IP addresses listed for the HQ. The VPN tunnel between the .26.120.x and the .17.0.0 networks is built however it does not appear to be routing. The Cisco administrator at the HQ site says that they have "fully configured the routing" from all the listed IP addresses back through the VPN tunnel. The options I am unsure of for configuration of the SA540 router are: GW - I believe that I use the internal IP address of the 17.26.120.x router.Is this logical since the VPN tunnel. We are using NAT for the firewall internally.The existing 3 172.26.x.x VPN tunnels are live and working and fully routing between themselves.
View 2 Replies View RelatedI hope an easy question, in the WAN profile of our SA540 I have IP Aliases configured for a block of IP addresses we have. The active 2 IP addresses plugged into the actual RoadRunner modem respond fine to ping, the other three I have programmed to the WAN interface are not responding as I would think they should. Have I overlooked something? The "Block IP on WAN Interface" is disabled and pings back fine.
View 3 Replies View RelatedI went through the install procedure outlined in the ProtectLink Gateway install manual and i activated the ProtectLink Web product through Trend Micro (which shows up through their web site as a registered product to me). It still doesn't show up as installed on the SA540 (under Administration/License Management screen). When I try to activate the product again, it shows as "Already registered". Trend has no idea why it won't work. They said Cisco sold the license, so try their support.
View 1 Replies View RelatedI'm trying to figure out why recipients of emails from my company show that the mail is coming from our dedicated wan ip instead of the ip alias setup thru the dedicated wan.The external ip address for the sa540, wan1 (no optional interface), is 82.134.79.122.The ip alias is 62.97.213.156 mail. unitec hsubsea. com resolves to 62.97.213.156 for external dns yet it is reporting as the 82.134.79.122 for some recipients.The mail server was never setup with the 82.134.79.122 ip so i don't think this is a dns cache issue.What issue in the SA540 would cause the system to show as mail coming from 82.134.79.122 instead of the ip alias 62.97.213.156?
View 0 Replies View RelatedIs it possible to re-route our Site 2 Site VPN over our Static Route (T1) if the WAN fails?
View 1 Replies View RelatedIs Anyconnect supported for SA540 I have installed in on my android phone however I keep getting error "Unable to process data received from secure gateway" when trying to connect. If anyconnect is supported on SA540 how do I get it working?
View 1 Replies View RelatedThere is ASA with remote access VPN and users are authenticated using third party signed certificates (CA is not local in ASA).When user certificate expires i can see it in syslog messages. For example:
%ASA-3-717009: Certificate validation failed. Certificate date is out-of-range, serial number: (...)
I would like to know if there is an opportunity to view user's certificate expiry date beforehand, say, 3 days before?
How to install an SSL key + certificate on our SR520 from the CLI. I have found the following document.
[URL]
I basically have the following files that I need to install:
Key file:
domainname.key
Certificates file:
AddTrustExternalCARoot.crt
[Code].....
When I try to export an SSL Certificate for a Client I get a htps . CSR file instead of the .PEM file. So, I can't update the client computer with the correct certificate.
Firmware: 1.0.2.6
i am working on ISE 1.1.1, surprisingly i couldn't found certificate authority certifiate at certificate operation anymore.
would it be the change on GUI? So now where i can import the CA certificate to ISE?
RV042 router is giving out the outer certificate instead of server certificate. Outlook anywhere is failing and we are receiving certificate errors for any secure site behind this firewall. I'm not talking about remote management. I'm talking about people trying to access our web site, which is secured, and getting an error because the RV042 is giving its own SSL certificate instead of the Server's certificate. Firmware Version: 1.3.13.02-tm. I don't see any updates for that hardware. I do have it working on an RV042 with the same firmware at a different location. How do we turn that off or keep it from happening? Output from a test site Attempting to resolve the host name xxxx in DNS.The host name resolved successfully. Additional DetailsTesting TCP port 443 on host xxxx to ensure it's listening and open. The port was opened successfully. Testing the SSL certificate to make sure it's valid. The SSL certificate failed one or more certificate validation checks. Test Steps ExRCA is attempting to obtain the SSL certificate from remote server xxxx on port 443. ExRCA successfully obtained the remote SSL certificate. Additional Details Remote Certificate Subject:
SN=California, L=Irvine, C=US, O="Cisco-Linksys, LLC", OU=RV042, CN=68:ef:bd:b8:0f:78, Issuer: SN=California, L=Irvine, C=US, O="Cisco-Linksys, LLC", OU=RV042, CN=68:ef:bd:b8:0f:78.Validating the certificate name. Certificate name validation failed. Tell me more about this issue and how to resolve it Additional Details Host name xxxx doesn't match any name found on the server certificate SN=California, L=Irvine, C=US, O="Cisco-Linksys, LLC", OU=RV042, CN=68:ef:bd:b8:0f:78.
When I access setup on an RV220W with Internet Explorer, Mozilla or Safari the following message always displays:
"There is a problem with this website's security certificate. The security certificate presented by this website was not issued by a trusted certificate authority. The security certificate presented by this website was issued for a different website's address."
I access the router by clicking on "Continue to this website (not recommended)."
This also happens anytime a URL filter is triggered by a client. I.e., clients do not see the "Blocked by Cisco Firewall" message unless they also click on the "Continue to this website (not recommended)." option.
Even worse, when I attempt to connect as a VPN, the SLLVPN applet gets java connection refused. This is why I bought this thing!
What do I need to do to fix all these certificate related errors?
Just installed RV042 router. And it's giving out router certificate instead of server certificate so people who are trying to access our secured server are getting errors. I'm not talking about remote management. I'm talking about people trying to access our web site, which is secured, and getting an error because the RV042 is giving its own SSL certificate instead of the Server's certificate. How do we turn that off or keep it from happenning?
The RV042 firm version is v4.0.0.07-tm (Aug 19 2010 19:19:50)
how to create new unique self-signed certificate on RV120W? I can create request for singning by external CA, but I cannot create new unique self-signed certificate itself.
View 2 Replies View RelatedWRVS4400N Where is the Server Certificate located to get the VPN Client to work?
View 2 Replies View RelatedWhen I attempt to export the certificate for the quickvpn client via the router web interface, it looks as if the export works, and it asks me to save the zip file. However, upon opening the zip file I receive the error: The compressed folder is invalid or corrupted.
This happens in multiple browsers, from multiple machines.
I like to use "URL Blocking" with keywords in the firewall properties. When I activate this feauture, I get errors from the router certificate when I browsing to any site in the Internet. Is there a way to manage this problem without using a public certificate?
RV180W-Firmware-1.0.1.9
The establishment of IPSEC tunnel between the RV220 and QuickVPN client works properly with the security certificate of origin of the router.RV220 V1.0.3.5QuickVPN V1.4.2.1
Since the establishment of a security certificate self-signed, the RV220 and QuickVPN client refuses to work together .
Here are the log of the QuickVPN client
2011/09/27 12:45:14 [STATUS]OS Version: Windows 7
2011/09/27 12:45:14 [STATUS]Windows Firewall Domain Profile Settings: ON
2011/09/27 12:45:14 [STATUS]Windows Firewall Private Profile Settings: ON
2011/09/27 12:45:14 [STATUS]Windows Firewall Private Profile Settings: ON
[code].....
For some reason this RV082 (code level v2.0.2.01-tm-20110308) has generated a SSL cert that is not valid till 2022?
How to regenerate the cert with a valid date?
SSL Certificate - Future Start Date
The SSL certificate is not valid before Mar 3 06:51:27 2022 GMT : Subject : CN=00:0c:41:92:41:71, OU=RV082, O=Cisco-Linksys, LLC, C=US, L=Irvine, SN=California Issuer : CN=00:0c:41:92:41:71, OU=RV082, O=Cisco-Linksys, LLC, C=US, L=Irvine, SN=California Not valid before : Mar 3 06:51:27 2022 GMT Not valid after .
I have set the RV042 up for QuickVPN access. The router config recommends turning HTTPS on in the firewall when using QuickVPN. The side effect to this is any web browser throws me certificate errors and warns me not to continue logging in to the router's config. How do I fix this so the browser does not throw these messages?
Router is Linksys-branded, using latest firmware for this hardware (1.3.13.02-tm)
After a day of troubleshooting I have finally got the QuickVPN client to work. I connect however during the connection I get: "Server's certificate doesn't exist on your local computer. Do you want to quit this connection?" I click no and it connects fine other than this error. So how do I get rid of this error? Also I have exported the client certificate from the RV110 and put it in the quickvpn directory as I saw suggested elsewhere.
Here is my log:
2011/12/21 00:39:44 [STATUS]Connecting...
2011/12/21 00:39:44 [DEBUG]Input VPN Server Address = ***.***.***
2011/12/21 00:39:45 [STATUS]Connecting to remote gateway with IP address: **.**.**.***
2011/12/21 00:39:50 [WARNING]Server's certificate doesn't exist on your local computer.
2011/12/21 00:39:56 [STATUS]Remote gateway was reached by https ...
[code]....
i was connected to my rv042 via remote management / browser, and tried to add vpn clients. i generated a new certificate and then i clicked on export for clients. by doing this, the remote management disconnected and i cannot access the router anymore.
how can i get the new .pem file from remote? do i have to make somebody turn off and on the unit to get back remote access??
p.s.: after turning off an on i tried the same steps again: everytime i click on "export for admin" or "export for client", this kills the remote management and the unit must be hardreset. now: how do i get the newly created client certificate off that unit ?? otherwise i will have to drive 350 km just to grep that file ?!?!
I do not have a valid SSL Certificate on my firewall but I want to use SSLVPN.
If I connect to the IP adress and the SSLVPN Portal I can choose the sslclient launcher but after that I get a error that I need a internet explorer 64bit or that the active I was blocked because of a unsecure publisher.
I recently replaced my RV042 with an RV042G. I did an export of the RV042 Config and used the Config Migration Tool to upgrade the file to v3 (I had an old v1 RV042). When I first logged in to the RV042G it was quite happy and I imported the config file successfully.After installing the RV042G in my system it fired up and worked perfectly. Unfortunately when I now try to log in via the web interface it comes up with 'Invalid Site Certificate' each time. I've tried importing the certificate but that does not work as it is flagged as invalid.All I can assume is I have either imported the origional RV042 certificate as part of the config or importing the config has corrupted the original RV042G site certificate. I assume this is a generic issue and not specific to the RV042G as I have had this problem before but cannot remember how I solved it.The bottom line would be a hard reset and load all my settings manually but I can't spare the time just now.
View 2 Replies View RelatedI bought a new WRVS400n recently because it had Gigabit speed, wireless n and a built in VPN server. The device works perfect except for the Quick VPN client. I'm a system engineer so I thought I could set it up quite easy just like any other device I configured in the past. Painfull but it isn't like this.
I set up the VPN on the WRVS4400n and generated a certificate. I saved both the client and admin certificate to my pc, I gave them a name to easily make up the difference between both of them. When placing the certificate in the installed QuickVPN folder, it doesn't seem to get recognised by the QuickVPN software. When I try to connect, it says 'Server's certificate doens't exist on your local computer'. I guess the naming convention must meet some kind of format, is that correct? If so, this should have been described in the documentation.
Besides that I checked if the required ports used by the VPN server are open on the public port of the device, that is the case. So It seems I'm quite close to get it working.
The version of QuickVPN I used is 1.4.2.1. The WRVS4400n has the latest firmware loaded.
We have done the site to site VPN between Fortinet and Cisco SA540. Everything is configured at both ends but the tunnel is not establised.
View 4 Replies View RelatedI installed a new SA540 and configured some NAT rules for my Exchange server. Everything worked fine untill I did a firmware upgrade.Now the NAT rules won't work on my dedicated WAN.On the Optional WAN (load balancing) the NAT rules work fine.
View 1 Replies View RelatedI have tried to establish a VPN-Connection from Ipad (via the Ipad built-in vpn-client) to a SA540.Unfortunately without any results. I get the message "Server is not responding". (A VPN Connection from a normal Software-Client running on W7 works fine).
View 0 Replies View Related