Cisco Bug: CSCus70693 - ASA 9.3.2 SSL doesn't work with error: %ASA-4-402123: CRYPTO:
Jun 27, 2018
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
After upgrade to 9.3.2 SSL VPNs stop working. Symptom: SSL (either Web or AnyConnect cannot be establish) with the error from AnyConnect: "Could not connect to server. Please verify Internet connectivity and server address." In the DART: Type : Error Source : acvpnui Description : Function: ConnectMgr::run File: .\ConnectMgr.cpp Line: 674 Invoked Function: ConnectMgr::initiateConnect Return Code: -29622263 (0xFE3C0009) Description: CONNECTMGR_ERROR_UNEXPECTED This errors are seen: "%ASA-4-402123: CRYPTO: The ASA hardware accelerator encountered an error (Invalid PKCS Type, Pad, or Length, code= 0x1B) while executing the command PKCS1 v1.5 RSA Decrypt with CRT (> 1024 bits) (0x202)." These errors are seen while debugs enabled: RC4-SHA / RC4-MD5 error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2838<mailto:error@ssl_engine.c:2838> AES256-SHA / AES128-SHA / DES-CBC3-SHA error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2639<mailto:error@ssl_engine.c:2639> Tests: + AnyConnect 3.1.05160 uses TLS 1.0 - fails + AnyConnect 4.0.00057 uses TLS 1.2 - fails + with IE TLS 1.0 - fails + with IE TLS 1.1/1.2 - fails + with Mozilla Firefox TLS 1.0 - fails but + Mozilla Firefox TLS 1.1/1.2 - work ok + Chrome also uses TLS 1.2 - works ok. Conditions: ASA running 9.3.2 (the issue is not seen on the 9.3.1) Certificate with: - RSA keys size: 2048 bits - Signature Algorithm: sha256RSA - Signature Hash Algorithm: sha256 It is not happening for all certificates, it has to be something specific in the certificate which hasn't been identified yet.
Related Community Discussions
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases