Cisco VPN :: 3825 - VPN Client Is Giving Error And Unable To Create Certificate Enrollment Request
Feb 21, 2011
We find ourselves in a difficult situation with the Cisco VPN Client version 5.0.07.0290 where it keeps giving us an
"Error 42: Unable to create certificate enrollment request"
When we attempt to use the Online enrollment method to create and enroll a new certificate. There is no additional information in the VPN client logs where we have set 3-High for all logs. In addition, Wire shark does not show any packets sent from the machine running the client to the Cisco 3825 router which runs the Cisco CA.
To create and enroll a certificate we do the following:
1. Click on the Enroll button to show the Certificate Enrollment dialog
2. Select Online
3. Select <New> for Certificate Authority
4. Enter http://192.168.120.1 as CA URL (note, 192.168.120.1 is the IP of the Cisco 3825)
5. Click Next to display the dialog where we can enter certificate details
6. Enter details in all fields except IP Address and Domain
7. Click Enroll which shows a dialog with the Error 42 ... message in it.
If we attempt to create a request by using the File method, all works fine, that is, the client creates a file with the enrollment request. The fact that the client does not send any messages to the Cisco CA leads us to believe that we have a problem on the client machine. However, the client does not write any information in the logs, so it is a bit hard to fix the problem. I can provide additional configuration information if required for both the client and the Cisco CA. Note that we have not modified any client configuration. Basically, we installed the client on a Windows 7 64bit machine and attempted the steps listed above.
I work in a lab testing interoperability between Avaya and Cisco VoIP products.I am setting up an environment to test Avaya 96x1 phones with VPN using SCEP going thru an ASA 5510 to a backend IP PBX.
Environment: Windows Server 2008 R2, Enterprise Edition, AD with DNS, NDES Cisco ASA 5510 running 9.0(1)
I would like to setup certificate enrollment between a Windows Server 2008 R2 and a Cisco ASA 5510. Here are the commands that I use for the Cisco ASA 5510:
crypto key generate rsa modulus 2048 crypto ca trustpoint ASA5510-trust enrollment url http://10.129.112.20/certsrv/mscep/mscep.dll enrollment retry period 5 enrollment retry count 3 password Interop123 exit crypto ca authenticate ASA5510-trust crypto ca enroll ASA5510-trust
Everything works as expected until I try to enroll. There is no prompt for the enrollment password and the certificate request is denied.
ciscoasa(config)# crypto ca enroll ASA5510-trust%% Start certificate enrollment ..% The fully-qualified domain name in the certificate will be: ciscoasa.avayasil.avaya.com% Include the device serial number in the subject name? [yes/no]: NoRequest certificate from CA? [yes/no]: yes% Certificate request sent to Certificate Authorityciscoasa(config)# The certificate enrollment request was denied by CA!
Why isn't there a prompt for the enrollment password?BTW, If I set "enforcepassword" to "0" in the Windows registry, then it works.
When I attempt to export the certificate for the quickvpn client via the router web interface, it looks as if the export works, and it asks me to save the zip file. However, upon opening the zip file I receive the error: The compressed folder is invalid or corrupted.
This happens in multiple browsers, from multiple machines.
In order to authenticate wireless users with EAP-TLS or PEAP-MSCHAPv2, what should I select the key length and digest to sign with? 2048 and SHA256 combination should work?
RV042 router is giving out the outer certificate instead of server certificate. Outlook anywhere is failing and we are receiving certificate errors for any secure site behind this firewall. I'm not talking about remote management. I'm talking about people trying to access our web site, which is secured, and getting an error because the RV042 is giving its own SSL certificate instead of the Server's certificate. Firmware Version: 1.3.13.02-tm. I don't see any updates for that hardware. I do have it working on an RV042 with the same firmware at a different location. How do we turn that off or keep it from happening? Output from a test site Attempting to resolve the host name xxxx in DNS.The host name resolved successfully. Additional DetailsTesting TCP port 443 on host xxxx to ensure it's listening and open. The port was opened successfully. Testing the SSL certificate to make sure it's valid. The SSL certificate failed one or more certificate validation checks. Test Steps ExRCA is attempting to obtain the SSL certificate from remote server xxxx on port 443. ExRCA successfully obtained the remote SSL certificate. Additional Details Remote Certificate Subject:
SN=California, L=Irvine, C=US, O="Cisco-Linksys, LLC", OU=RV042, CN=68:ef:bd:b8:0f:78, Issuer: SN=California, L=Irvine, C=US, O="Cisco-Linksys, LLC", OU=RV042, CN=68:ef:bd:b8:0f:78.Validating the certificate name. Certificate name validation failed. Tell me more about this issue and how to resolve it Additional Details Host name xxxx doesn't match any name found on the server certificate SN=California, L=Irvine, C=US, O="Cisco-Linksys, LLC", OU=RV042, CN=68:ef:bd:b8:0f:78.
I have a pair of ACS appliances running 5.1 code. The appliances are set up as a replicated pair. I have valid local and trusted certificate authority certificates on the primary.
The trusted certificate authority certificate gets replicated to the secondary. Obviously the local certificate doesn't get replicated. I need to generate a certificate signing request on the secondary but it doesn't seem to allow you to do it.
Just installed RV042 router. And it's giving out router certificate instead of server certificate so people who are trying to access our secured server are getting errors. I'm not talking about remote management. I'm talking about people trying to access our web site, which is secured, and getting an error because the RV042 is giving its own SSL certificate instead of the Server's certificate. How do we turn that off or keep it from happenning?
The RV042 firm version is v4.0.0.07-tm (Aug 19 2010 19:19:50)
Up to today I used Verizoon 4G to a Windows Visata box running Internet connection Sharing to get my home lab connected to the Internet . All was working well.
Today I had Hughesnet come and installl their service and I can no longer get access to the Internet from my PC netowrk. my VPN to my office for my IP phone coomes up an works just fine. At the router I do have Internet access which then leads me to believe that my problem is NAT related.
My router is a 2851.
When I enter PING 4.2.2.2 I get !!!!! but when i enter PING 4.2.2.2 SOURCE 192.168.69.3 I get .....
how to create new unique self-signed certificate on RV120W? I can create request for singning by external CA, but I cannot create new unique self-signed certificate itself.
I have a 3825 configured as an EZVPN server with 881 routers as clients. One issue I am seeing is that sessions don't seem to time out, such as when a peer's public IP changes. Show crypto ISAKMP peer shows the same host (using device certificates for authentication) with multiple public IPs establishing sessions. I have ISAKMP keepalives configured on the router.
I have been unable to access a frequently used website (by me) for well over a week. Every time I attempt access I get this error message:
"Error 400 Bad Request
Bad Request
XID: 865749824
O: web
GN: ch-sc-bb-shield1
The web server is responding too slowly to service your request. Please try again later."
PC clone, 4GB, Windows 7 64-bit. Is it possible that my 64-bit version is at fault? I have had some problems with it since I upgraded form the 32-bit version.
I'm working on a Dell Vostro 220s running Windows XP with an integrated NIC. It had a few hundred viruses on it and after removing them, I can't get an internet connection. The icon says connected with 0 packets sent and 0 packets received. DHCP is enabled and other computers on the network can connect to the internet. The drivers are installed and detected as working properly. I have rebooted also, with no luck. Ipconfig fails with the error "An Internal error occurred: The request is not supported."
I had been working on our client servers through Cisco VPN using internet datacard. But from past 3 weeks after logging into Cisco VPN using my username/password, when I try to connect to any of the servers, it is giving connection timed out error.
Whereas, my team members across other locations are able to connect to the servers using my VPN username/password.
I thought there might be some issue with my laptop or internet datacard. I got my laptop formatted, even tried out with fresh new laptops & new internet datacards, but the issue remains same.
I have tried using vpn_5.0.06.0160-k9 & vpnclient-5.0.05.0290-k9 to connect but issue did not get resolved.
i m trying to connect two routers a Cisco DPC3825 (r1) and DIR-655 (r2) and at the end getting the error. i have disabled the SPI firewall on r1 and connected an ethernet cable lan to lan between the two. i don't want to confuse with whatever the mess i have done previously,Tell step by step what i should do to connect these two routers.PS: in addition, the gateway ip of r1 is 192.168.0.1 with subnet mask of 255.255.254.0 and the gateway ip of r2 is 192.168.0.2 with subnet mask of 255.255.255.0. r1 has a ip range of 192.168.0.10 to 192.168.0.128 while r2 has range of 192.168.0.100 to 192.168.0.199.
After a successfull installation of NCS 1.2 into a vmware environment and run the setup I have the following error while trying to start or to have a status for NCS (ncs start ot ncs status):sh: /opt/CSCOlumos/bin/wcsadmin.sh No such file or directory
I have a WiFi printer connected to an CWAPP Cisco AP AP1250. I am using WPA2-PSK to connect to this AP. I find that the printer connects to the AP at times and at times it does not. I got an error message from the Capture an error on the backend controller of the network."Authentication Request received invalid RSN IE Mismatch WP2 algorithm"
The problem is that one of the clients loses the connection to the network time to time ,The error in the WLC logg is
*Dot1x_NW_MsgTask_0: Jul 06 17:42:38.934: %DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:843 Received EAPOL-key M2 msg has invalid information when mobile is in START state - invalid secure bit; KeyLen 24, Key type 1, client 00:21:6a:af:be:70
I am currently on Time Warner Cable 10 mbps packge, and am using their wireless DOCIS3 modem/router. It is connected in my bedroom to the main computer. That computer stays connected. However, throughout the rest of the house (we have a two story townhome) it will drop completely or give limited connection...constantly. Sometimes I can have my laptop next to me and it will go out or give limited connection. The connection speed never drops, it just goes completely to no connection. Not for sure what is going on, if its on my end or time warner. Has been doing this for quite some time, the cable company comes out and changes the modem, but that's it, couple days later, goes back to doing it again.
I have an 1841 that was working fine - I could SSH to it with my Radius login and console into it with local credentials ("Fred").I added another use ("Mike") with priv 15 so the end user could log in locally via console if needed.After that, we can both log in via console, but when we try to enter privileged mode we get "% Error in Authentication", before even entering the password.I can still log in via Radius SSH with no problems and access privilege mode via SSH.What am I missing so we can have two different users be able to log in locally with different credentials and access privileged mode, and keep my ssh radius working?
I'm trying to do some basic troubleshooting on our WiSMS. Some clients on a working network are unable to connect in the afternoons, debugging the client on the wism shows this message:
*apfMsConnTask_2: Dec 05 14:23:44.018: Association request from the P2P Client Process P2P Ie and Upadte CB
It keeps repeating with the Task_X changing.What does that mean?We have two controllers in our 6500's running this software ver. 7.3.101.0
I'm using the cisco 837 router as my VPN server. I get connected using Cisco VPN Client Version 5. But when I ping the router ip, i get request timed out. Here is my configuration :
Building configuration...
Current configuration : 3704 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec [Code]...
After formatting the CF, the router is able to see the flash without a problem. I copied files to the flash - still able to see the contents okay. The problem ia that if i restart the router with the new flash, i get this error:
Jan 22 17:44:12.454 MSK: %SYS-5-CONFIG_I: Configured from console by bt_admin on vty0 (10.10.10.44) Jan 22 17:45:41.847 MSK: %SYS-5-RELOAD: Reload requested by bt_admin on vty0 (1 0.10.10.44). Reload Reason: Reload Command. System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Technical Support: [URL]
I have a router cisco 3825, It is being restarted autometically. and gives a message "System returned to ROM by bus error at PC 0x6125DCFC, address 0x15A3C78B" in show ver.
We're seeing "OutDiscard" error on a LAN switch connected to newly migrated Cisco IP phones. All the other error counters are clean except for the OutDiscard. (please see attached "show int count err" output.) [URL].
According to the link above, the common cause of such discards can be to free up buffer space.(Am I seeing a switch buffer issue?) How to identify/resolve the cause of the OutDiscard.The switch is 3750-E running c3750e-universalk9-mz.122-44.SE6.bin
I was using my internet on my Acer Windows 7 operating system wireless just fine on Monday. I tried to use it on Tuesday and could not connect to the internet wireless any longer. I get an error message next to my network stating ""The settings [COLOR=green ! important][COLOR=green ! important]saved[/COLOR][/COLOR] on this computer do not match the requirements of the network"I have never encotured this kind of problem before. I proceeded to call Comcast who did all kinds of trivial beginner troubleshooting such as restart the router, restart the modem turn on and off the computer.
The error message "5405 RADIUS Request dropped", what does it mean ? We have implemented 802.1X on a C4506 switch running IOS 12.2(53), it has worked fine for about 3 months but now I get users not able to authenticate. In the loggs on the ACS I get the obove message.
I 've got some problem with my Mail Server since I've migrated to an ASA5510.Actually the server is in a DMZ with a private Ip ( 10.x.x.2) and it is translated to a Public IP ( 194.x.x.65).Some Users received in there mailbox a system administor error message :Object : Impossible to deliver : testYour message could not be deliver to one or more of its recipients: 421 SMTP connection went away!When they try to re sent it some times later, message is sent whithout problem.
I have 2 datacenters running same equipement (two Nexu 5596 with FEX).I just took a look at the log just to see if everything is ok and I saw that I have the same error message (a lot of times) at both location :
%SYSMGR-FEX100-5-HEARTBEAT_LOSS: Service "satctrl" heartbeat loss 2 ,max 7,I though it was a problem with my peerklink-keepalive connection but I see the word FEX ....so i'm not sure...
Note that at both locations, my Nexus are connected back to back through the management port using transceivers. So it's a copper cable from the first nexus, going into a transceiver, going to another transceiver in fiber and then back to copper to the other nexus.
Just bought first wireless router, when i insert CD and start setup, after a few seconds i get Error 301: internal error. i have rebooted and still no luck. I've tried going to 192.168.1.1, i got in one time but didn't understand half the stuff. now i can't go back into that page.
I have a situation where a specific unit on my network is booting using BOOTP.The unit is connected to a stack of two Cat3750X switches running IOS 12.2(55)SE1. The server and client is on the same VLAN on the same physical switch, so it is purely L2 between the server and client. The BOOTP server is a computer running a specific software connected to the switch. There is no DHCP server on the switch. IP-helper is not configured on the switch.
If I do a monitor-session on the client port I can see the BOOTP request packet enter the switch, however this packet is never flooded out of any ports in the switch, so the BOOTP server never receives the request. I have tested the server and client in a cheap dumb switch and there it is working just fine. Regular DHCP requests are flooded correctly.It apprs the there is something in the clients BOOTP request that is not correct, since the Cisco switch apparently discards the packet.
Are there any BOOTP gurus that can have a look on the attached (Wireshark) BOOTP client request and perhaps determine if it is infact malformed? Why the switch is not flooding the packet. What is the meaning of the BOOTP broadcast flag in a client boot request?
Day before yesterday my Laptop [Dell Studio] has suddenly stopped working and i have to shut it down forcefully. Then i logged in again but my wireless was not working, i have googled the solutions and tried to start the WLAN Autocofig service but its throwing an error : 1053 : The service did not respond to the start or control request in a timely manner.I have Windows 7 installed on my system.Suddenly the speed of my laptop reduced drastically. Now its taking almost 12 mins to start instead of 2 mins.I have also removed some lines from the test files from the registry as mentioned in the below website as a resolution, but its not working.Unable to connect to wireless networks on Windows 7 Enterprise laptop. I dont have OS [Operating system's] CD as it was pre-installed on my laptop when i bought it.
Trying to connect two systems together but was giving error that contact network administrator,one system is laptop with wireless and other is desktop but connect through cable but running windows XPSamson
I bought belkin N150 recently. I tried to configure with my ISP. They are surprised how I don't have DHCP option in the wifi configuration and asked me to upgrade my firmware. When I tried to upgrade. I downloaded the firmware from [URL] tried to upgrade. It is showing file format error.