PIX PDM/CA Problem

moinseoulmoinseoul Member Posts: 6 ■□□□□□□□□□
in CCNP Security
I have configured a PIX506E to use certificates for a Microsoft CA for a site-to-site VPN. Gernerating RSA keys, either General or Usage, work. Authenticating the CA and enrolling the PIX with the CA have no problems. I save the certificates and write the configuration to memory. VPN works without any problems. However after enrolling with the CA, connectivity to the PIX Device Manager (PDM) is lost. If I zeroize the RSA keys, I regain connectivity to the PDM, but loose the VPN!

Both the PIX and PDM are the latest releases the PIX 506E support.

Any suggestions?
· Share on FacebookShare on Twitter

Comments

  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    Are you saying you can't access the PDM from the same IP adddress that worked (and was allowed access before, but now might be "interesting traffic" and is being sent through the tunnel) before the VPN, or are you saying you can't access the PDM from a new VPN address (that probably hasn't been configured for PDM access)?
    :mike: Cisco Certifications -- Collect the Entire Set!
    · Share on FacebookShare on Twitter
  • moinseoulmoinseoul Member Posts: 6 ■□□□□□□□□□
    I have setup the PDM to be reached from both the inside and outside interfaces using IP addresses both inside and outside the VPN address range. It seem that as soon as I enroll with the CA the present PDM session isn't dropped, but if I close it and try to reconnect it won't.

    Setup is as follows:

    ....................Router
    Router -- Router -- Router ---- PIX - PDM
    .................../...........\..|../............................................../........\
    ..............Inside........Outside....................................Outside.....Inside
    ................./................|............................................./...............\
    172.16.0.0/24.....192.168.0.0/24.....................10.0.0.0/24.........172.16.1.0/24
    ...........|......................|...................................................................|
    .........PC A................PC B.............................................................PC C

    VPN is from the 172.16.0.0/24 to the 172.16.1.0/24 network.

    I can connect from PC B and PC C. Haven't tried from PC A.

    I will try removing the VPN all together and see if I get the same results.

    Thanks,

    Les
    · Share on FacebookShare on Twitter
  • moinseoulmoinseoul Member Posts: 6 ■□□□□□□□□□
    Even if I remove the VPN configuration, I still can't connect to the PDM on any interface. It isn't until I zeroize the RSA keys or remove the ca certificates, that I can reconnect with the PDM.
    · Share on FacebookShare on Twitter
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    Have you gone through the Troubleshooting PIX Device Manager document on the Cisco web site?

    You're connecting using https? You've made sure the date and time is set correctly?
    :mike: Cisco Certifications -- Collect the Entire Set!
    · Share on FacebookShare on Twitter
  • moinseoulmoinseoul Member Posts: 6 ■□□□□□□□□□
    I went through the Troubleshooting Guide again. The last line of the guide says: "If all else fails, ..." run sh tech & debug ssl .

    debug ssl output:

    SSL: Unable to load private key
    7633260:error:0B080074icon_mad.gif509 certificate routines:X509_check_private_key:key values mismatchicon_mad.gif509_cmp.c:279:

    SSL: Unable to load private key
    7641836:error:0B080074icon_mad.gif509 certificate routines:X509_check_private_key:key values mismatchicon_mad.gif509_cmp.c:279:

    That helps. Time to search the forums!

    Thanks.
    · Share on FacebookShare on Twitter
  • moinseoulmoinseoul Member Posts: 6 ■□□□□□□□□□
    I eventually tracked the problem down to the CA server. I was using an Enterprise CA server instead of a Stand-Alone CA server.

    Thanks for the help.

    Les
    · Share on FacebookShare on Twitter
Sign In or Register to comment.