Cisco Bug: CSCus70693 - ASA 9.3.2 SSL doesn't work with error: %ASA-4-402123: CRYPTO:
Nov 08, 2016
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
After upgrade to 9.3.2 SSL VPNs stop working. Symptom: SSL (either Web or AnyConnect cannot be establish) with the error from AnyConnect: "Could not connect to server. Please verify Internet connectivity and server address." In the DART: Type : Error Source : acvpnui Description : Function: ConnectMgr::run File: .\ConnectMgr.cpp Line: 674 Invoked Function: ConnectMgr::initiateConnect Return Code: -29622263 (0xFE3C0009) Description: CONNECTMGR_ERROR_UNEXPECTED This errors are seen: "%ASA-4-402123: CRYPTO: The ASA hardware accelerator encountered an error (Invalid PKCS Type, Pad, or Length, code= 0x1B) while executing the command PKCS1 v1.5 RSA Decrypt with CRT (> 1024 bits) (0x202)." These errors are seen while debugs enabled: RC4-SHA / RC4-MD5 error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2838<mailto:error@ssl_engine.c:2838> AES256-SHA / AES128-SHA / DES-CBC3-SHA error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2639<mailto:error@ssl_engine.c:2639> Tests: + AnyConnect 3.1.05160 uses TLS 1.0 - fails + AnyConnect 4.0.00057 uses TLS 1.2 - fails + with IE TLS 1.0 - fails + with IE TLS 1.1/1.2 - fails + with Mozilla Firefox TLS 1.0 - fails but + Mozilla Firefox TLS 1.1/1.2 - work ok + Chrome also uses TLS 1.2 - works ok. Conditions: ASA running 9.3.2 (the issue is not seen on the 9.3.1) Certificate with: - RSA keys size: 2048 bits - Signature Algorithm: sha256RSA - Signature Hash Algorithm: sha256 It is not happening for all certificates, it has to be something specific in the certificate which hasn't been identified yet.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases