ISEKI CISCO SYSTEMS OL-5450-10 User Manual

Open Caveats

46

Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D

OL-5450-10

•

CSCdw73886

If an attempt to load the VPN Client is made before the Clients Service loads,
the following error occurs: “The necessary VPN sub-system is not available.
You will not be able to make a connection to the remote IPSec server.”

Workaround:

Wait until the Service has loaded, then start the VPN Client.

•

CSCdx04343

A customer had problems enrolling the Mac OS version of the VPN Client.
Following some troublesome attempts at debugging the enrollment of the
MacOS VPN Client with a Baltimore CA, it was felt that the Documentation
should be improved and the Certificate Manager enhanced.

Workaround:

It seems that the critical thing as far as Baltimore is concerned is to put either
or both of the challenge phrase (-chall) and the host's FQDN (-dn) in the
request. This appears to be similar for the successful SCEP enrolment in a
Verisign Onsite PKI. Perhaps there's a case for tweaking the interface a bit,
or at least making some notes in the manual!

Just doing cisco_cert_mgr -U -op enroll only asks for a Common Name,
which is not enough. The request that succeeded on two separate Baltimore
installations, one of which had an expired RA certificate, was as follows
(switches only shown for brevity):

cisco_cert_mgr -U -op enroll -cn -ou -o -c -caurl -cadn -chall -dn

The ou is required for connecting to a Cisco 3030 VPN Concentrator and is
the group name. On almost every attempt, the certificate manager dies after
starting to poll the CA, with an error in the log: “Could not get data portion
of HTTP request”.

If this happens, it is possible to resume the enrollment with cisco_cert_mgr
-E -op enroll_resume. The last attempt didn't fail at all though, and the
certificate manager kept running until the request was approved, which is how
it should behave.