KB ID 0001279
Problem
We had a firewall fail at work this week, as part of the rebuild the latest OS was put on it, version 9.7(1). I thought no more about it until I tried to VPN in and got this;
I used my Windows 10 VM and that connected fine, only my MacBook could not connect, this VPN tunnel is a big deal I need it to get onto client’s networks. I tried my other VPN connections and every one was fine, only the recently rebuilt one didn’t work? Ive seen OSX throw a wobbly with AnyConnect in the past so I did a complete uninstall, deleted the opt/cisco folder and put on the latest version (4.4.00243 at time of writing) no change.
VPN
Connection attempt has failed due to server communication errors. Please retry the connection
A look in the client message history showed me this..
Connection attempt has failed.
No valid certificates available for authentication.
I checked my certificates, and the certificate on the firewall both they, (and the certificate chain,) were fine.
Debugging AnyConnect gave NO OUTPUT at all, but debugging SSL showed me this;
[box]
Petes-ASA#dedug ssl 255
debug ssl enabled at level 255.
Petes-ASA# error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters@p_lib.c:143
error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2832
error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters@p_lib.c:143
error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2832
error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters@p_lib.c:143
error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2832
error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters@p_lib.c:143
error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2832
error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters@p_lib.c:143
error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2832
error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters@p_lib.c:143
error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2832
[/box]
Try Googling that and getting a result! In fact that’s probably what brought you here.
Solution
If you change a Cisco OS and things like this stop working normally it’s because they’ve dropped support for something that’s got a security hole in it. In the wake of the Poodle Exploit I assumed it was an SSL/TLS problem, but that wasn’t it.
I was in the right ball park though, and a bit of lateral thinking and SSL cipher problems I’ve had with ASDM, made me think, what if it’s SHA that’s been dropped because everyone is dropping SHA1 cause it’s the hashing algorithm of Satan?
Well as soon as I added a SHA1 ciphers back in, everything started working again!
[box]
Petes-ASA(config)# ssl encryption aes256-sha1 aes128-sha1
WARNING: This command has been deprecated; use 'ssl cipher' instead.
INFO: Converting to: ssl cipher default custom "AES256-SHA:AES128-SHA"
INFO: Converting to: ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA"
INFO: Converting to: ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA"
[/box]
Disclaimer: SHA1 is bad, where practical all cert ciphers should be at least SHA256
Related Articles, References, Credits, or External Links
NA