Preview Tool

Cisco Bug: CSCus70693 - ASA 9.3.2 SSL doesn't work with error: %ASA-4-402123: CRYPTO:

Last Modified

Feb 14, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases


Description (partial)

After upgrade to 9.3.2 SSL VPNs stop working.

SSL (either Web or AnyConnect cannot be establish) with the error from AnyConnect:
"Could not connect to server. Please verify Internet connectivity and server address."

In the DART:
Type        : Error
Source      : acvpnui

Description : Function: ConnectMgr::run
File: .\ConnectMgr.cpp
Line: 674
Invoked Function: ConnectMgr::initiateConnect
Return Code: -29622263 (0xFE3C0009)

This errors are seen:

"%ASA-4-402123: CRYPTO: The ASA hardware accelerator encountered an error (Invalid PKCS Type, Pad, or Length, code= 0x1B) while executing the command PKCS1 v1.5 RSA Decrypt with CRT (> 1024 bits) (0x202)."

These errors are seen while debugs enabled:
error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2838<mailto:error@ssl_engine.c:2838>

error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2639<mailto:error@ssl_engine.c:2639>

+ AnyConnect 3.1.05160 uses TLS 1.0 - fails
+ AnyConnect 4.0.00057 uses TLS 1.2 - fails
+ with IE TLS 1.0 - fails
+ with IE TLS 1.1/1.2 - fails
+ with Mozilla Firefox TLS 1.0 - fails
+ Mozilla Firefox TLS 1.1/1.2 - work ok
+ Chrome also uses TLS 1.2 - works ok.

ASA running 9.3.2 (the issue is not seen on the 9.3.1)

Certificate with:
- RSA keys size: 2048 bits
- Signature Algorithm: sha256RSA
- Signature Hash Algorithm: sha256

It is not happening for all certificates, it has to be something specific in the certificate which hasn't been identified yet.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.