Home
Certification Preparation
Cisco
CCNP
CCNP Security
PIX PDM/CA Problem
moinseoul
I have configured a PIX506E to use certificates for a Microsoft CA for a site-to-site VPN. Gernerating RSA keys, either General or Usage, work. Authenticating the CA and enrolling the PIX with the CA have no problems. I save the certificates and write the configuration to memory. VPN works without any problems. However after enrolling with the CA, connectivity to the PIX Device Manager (PDM) is lost. If I zeroize the RSA keys, I regain connectivity to the PDM, but loose the VPN!
Both the PIX and PDM are the latest releases the PIX 506E support.
Any suggestions?
Find more posts tagged with
Comments
mikej412
Are you saying you can't access the PDM from the same IP adddress that worked (and was allowed access before, but now might be "interesting traffic" and is being sent through the tunnel) before the VPN, or are you saying you can't access the PDM from a new VPN address (that probably hasn't been configured for PDM access)?
moinseoul
I have setup the PDM to be reached from both the inside and outside interfaces using IP addresses both inside and outside the VPN address range. It seem that as soon as I enroll with the CA the present PDM session isn't dropped, but if I close it and try to reconnect it won't.
Setup is as follows:
....................Router
Router -- Router -- Router ---- PIX - PDM
.................../...........\..|../............................................../........\
..............Inside........Outside....................................Outside.....Inside
................./................|............................................./...............\
172.16.0.0/24.....192.168.0.0/24.....................10.0.0.0/24.........172.16.1.0/24
...........|......................|...................................................................|
.........PC A................PC B.............................................................PC C
VPN is from the 172.16.0.0/24 to the 172.16.1.0/24 network.
I can connect from PC B and PC C. Haven't tried from PC A.
I will try removing the VPN all together and see if I get the same results.
Thanks,
Les
moinseoul
Even if I remove the VPN configuration, I still can't connect to the PDM on any interface. It isn't until I zeroize the RSA keys or remove the ca certificates, that I can reconnect with the PDM.
mikej412
Have you gone through the
Troubleshooting PIX Device Manager
document on the Cisco web site?
You're connecting using https? You've made sure the date and time is set correctly?
moinseoul
I went through the Troubleshooting Guide again. The last line of the guide says: "If all else fails, ..." run
sh tech
&
debug ssl
.
debug ssl
output:
SSL: Unable to load private key
7633260
0B080074
509 certificate routines:X509_check_private_key:key values mismatch
509_cmp.c:279:
SSL: Unable to load private key
7641836
0B080074
509 certificate routines:X509_check_private_key:key values mismatch
509_cmp.c:279:
That helps. Time to search the forums!
Thanks.
moinseoul
I eventually tracked the problem down to the CA server. I was using an Enterprise CA server instead of a Stand-Alone CA server.
Thanks for the help.
Les
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
