Guest

Preview Tool

Cisco Bug: CSCus70693 - ASA 9.3.2 SSL doesn't work with error: %ASA-4-402123: CRYPTO:

Last Modified

Jun 27, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.3(2)

Description (partial)

After upgrade to 9.3.2 SSL VPNs stop working.

Symptom:
SSL (either Web or AnyConnect cannot be establish) with the error from AnyConnect:
"Could not connect to server. Please verify Internet connectivity and server address."

In the DART:
Type        : Error
Source      : acvpnui

Description : Function: ConnectMgr::run
File: .\ConnectMgr.cpp
Line: 674
Invoked Function: ConnectMgr::initiateConnect
Return Code: -29622263 (0xFE3C0009)
Description: CONNECTMGR_ERROR_UNEXPECTED

This errors are seen:

"%ASA-4-402123: CRYPTO: The ASA hardware accelerator encountered an error (Invalid PKCS Type, Pad, or Length, code= 0x1B) while executing the command PKCS1 v1.5 RSA Decrypt with CRT (> 1024 bits) (0x202)."

These errors are seen while debugs enabled:
RC4-SHA / RC4-MD5
error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2838<mailto:error@ssl_engine.c:2838>

AES256-SHA / AES128-SHA / DES-CBC3-SHA
error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2639<mailto:error@ssl_engine.c:2639>

Tests:
+ AnyConnect 3.1.05160 uses TLS 1.0 - fails
+ AnyConnect 4.0.00057 uses TLS 1.2 - fails
+ with IE TLS 1.0 - fails
+ with IE TLS 1.1/1.2 - fails
+ with Mozilla Firefox TLS 1.0 - fails
but
+ Mozilla Firefox TLS 1.1/1.2 - work ok
+ Chrome also uses TLS 1.2 - works ok.

Conditions:
ASA running 9.3.2 (the issue is not seen on the 9.3.1)

Certificate with:
- RSA keys size: 2048 bits
- Signature Algorithm: sha256RSA
- Signature Hash Algorithm: sha256

It is not happening for all certificates, it has to be something specific in the certificate which hasn't been identified yet.

Related Community Discussions

<key>CSCus70693</key> - ASA 9.3.2 SSL doesnand39;t work with error percentASA-4-402123: CRYPTO:
TLS 1.2 support is still broken in 9.3(2)2, although recent Poodle vulnerabilities have been fixed.   When ASA 5555 is acting as a LDAP client to Windows 2013 for user authentication connection fails with message %ASA-7-725014: SSL lib error. Function: SSL3_GET_CERTIFICATE_REQUEST Reason: signature algorithms error   When ASA negotiates TLS 1.1 LDAP connection with old Windows 2008 user authentication works fine. Unfortunately there seems to be no way to force ASA to use TLS 1.1 with newer LDAP servers ...
Latest activity: Feb 09, 2015
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.