Common Cisco Adaptive Security Appliance Problems and Recommended Actions
This section provides information on the Common Cisco Adaptive Security Appliance Problems and Recommended Actions.
Certificate Configuration Problems
Certificate Failure Between the IM and Presence Service and Cisco Adaptive Security Appliance
The certificate configuration between the IM and Presence Service and Cisco Adaptive Security Appliance is failing.
The time and time zones on the Cisco Adaptive Security Appliance may not be configured correctly.
-
Set the time and time zones on the Cisco Adaptive Security Appliance.
-
Check that the time and time zones are configured correctly on the IM and Presence Service and Cisco Unified Communications Manager.
Certificate Failure Between the Cisco Adaptive Security Appliance and Microsoft Access Edge
The certificate configuration between the Cisco Adaptive Security Appliance and Microsoft Access Edge is failing at certificate enrollment on the Cisco Adaptive Security Appliance.
If you are using SCEP enrollment on the Cisco Adaptive Security Appliance, the SCEP add-on may not be installed and configured correctly. Install and configure the SCEP add-on.
Related Information
Certificate Error in SSL Handshake
A certificate error displays in the SSL handshake.
There is no FQDN in the certificate. You need to configure the domain on the IM and Presence Service CLI, and regenerate the certificate on IM and Presence Service to have a FQDN. You need to restart the SIP proxy on the IM and Presence Service when you regenerate a certificate.
Error When Submitting a Certificate Signing Request to VeriSign
I am using VeriSign for certificate enrollment. When I paste the Certificate Signing Request into the VeriSign website, I get an error (usually a 9406 or 9442 error).
The subject-name in the Certificate Signing Request is missing information. If you are submitting a renewal certificate signing request (CSR) file to VeriSign, the subject-name in the Certificate Signing Request must contain the following information:
-
Country (two letter country code only)
-
State (no abbreviations)
-
Locality (no abbreviations)
-
Organization Name
-
Organizational Unit
-
Common Name (FQDN)
The format of the subject-name line entry should be:
(config-ca-trustpoint)# subject-name cn=fqdn,U=organisational_unit_name,C=country,St=state,L=locality,O=organisation
SSL Errors when an IM and Presence Service Domain or Hostname is Changed
I changed the IM and Presence Service domain from the CLI, and I am getting SSL certificate errors between the IM and Presence Service and the Cisco Adaptive Security Appliance.
If you change the IM and Presence Service domain name from the CLI, the IM and Presence Service self-signed cert, sipproxy.pem, regenerates. As a result you must reimport the sipproxy.pem certificate into Cisco Cisco Adaptive Security Appliance. Specifically you must delete the current sipproxy.pem certificate on Cisco Cisco Adaptive Security Appliance, and reimport the (regenerated) Cisco Adaptive Security Appliance sipproxy.pem certificate.
Errors When Creating TLS Proxy Class Maps
The following errors are displayed when configuring the TLS Proxy class maps:
ciscoasa(config)# class-map
ent_imp_to_external
ciscoasa(config-cmap)# match access-list
ent_imp_to_external
ERROR: Specified ACL (ent_imp_to_external) either does not exist or its type is not supported by the match command.
ciscoasa(config-cmap)# exit
ciscoasa(config)# class-map
ent_external_to_imp
ciscoasa(config-cmap)# match access-list
ent_external_to_imp
ERROR: Specified ACL (ent_external_to_imp) either does not exist or its type is not supported by the match command.
ciscoasa(config-cmap)#
The access list for the external domain does not exist. In the example above the access list called ent_external_to_imp does
not exist. Create an extended access list for the external domain using the access list
command.
Related Information -
Subscriptions Do Not Reach Access Edge
Subscriptions from Microsoft Office Communicator do not reach the Access Edge. OCS reports network function error with Access Edge as the peer. The Access Edge service does not start.
On Access Edge, the IM and Presence Service domain may be configured in both the Allow tab and the IM provider tab. The IM and Presence Service domain should only be configured in the IM Provider tab. On Access Edge, remove the IM and Presence Service domain entry from the Allow tab. Make sure there is an entry for the IM and Presence Service domain on the IM Provider tab.
Note |
The IM and Presence Service supports multiple domains. Make sure that you check each IM and Presence domain to determine if there are erroneous entries in the Allow tab that should be removed. |
Problems with Cisco Adaptive Security Appliance after Upgrade
The Cisco Adaptive Security Appliance does not boot after a software upgrade.
You can download a new software image to the Cisco Adaptive Security Appliance using a TFTP server and using the ROM Monitor (ROMMON) on the Cisco Adaptive Security Appliance. ROMMON is command line interface used for image loading and retrieval over TFTP and related diagnostic utilities.
Procedure
Step 1 |
Attach a console cable (the blue cable that is distributed with the Cisco Adaptive Security Appliance from the console port to a port on a nearby TFTP server. |
||
Step 2 |
Open hyperterminal or equivalent. |
||
Step 3 |
Accept all default values as you are prompted. |
||
Step 4 |
Reboot the Cisco Adaptive Security Appliance. |
||
Step 5 |
Hit ESC during bootup to access ROMMON. |
||
Step 6 |
Enter this sequence of commands to enable Cisco Adaptive Security Appliance to download the image from your TFTP server
|
||
Step 7 |
Place the software image on the TFTP server in a recommended location (depending on your TFTP software). |
||
Step 8 |
Enter this command to start the download:
|
Cannot Install Signed Microsoft CA Server-Client Authentication Certificate on Microsoft OCS 2008
Cannot install a server-client authentication certificate that is signed by a Microsoft CA into the local computer store of a Microsoft Office Communications Server (OCS) running Windows 2008. Attempting to copy the certificate from the current user store to the local computer store fails with the error message that the private key is missing.
You can perform the following procedure:
-
Log in to the OCS as a local user.
-
Create the certificate.
-
Approve the certificate from the CA server.
-
While logged on to the OCS, export the certificate to a file and ensure that the private key is exported.
-
Log off the OCS (Local Computer).
-
Log in to the OCS again, but this time log in as an OCS domain user.
-
Use the Certificate Wizard to import the certificate file. The certificate is installed in the local computer store. You can now select the certificate in the OCS certificate tab.