Preview Tool

Cisco Bug: CSCsy90150 - ASA doesn't properly handle large SubjectAltName field - UPN parse fails

Last Modified

Nov 09, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.0(4) 8.2(0.231)

Description (partial)

Client connection with certificates fails when ASA is configured to do authorization using UPN attribute from certificate.

Client certificate SubjectAltName extemsion is >127 bytes
ASA is configured for authorization-required so connection fails if authorization does not complete.
ASA sees the following IKE syslog/debug
Apr 03 14:29:17 [IKEv1]: Group = DefaultRAGroup, IP = User Authorization failed: [UPN] field missing in Subject DN for user name.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.