Support Center > Search Results > SecureKnowledge Details
Remote Access clients cannot connect to Security Gateway working in Hybrid Mode if it does not have an ICA and uses 3rd party certificate
Symptoms
  • Remote Access clients that authenticate with username and password, cannot connect to Security Gateway working in Hybrid Mode if it does not have an ICA and uses 3rd party certificate.

  • Debug of VPND daemon (per sk89940) on Security Gateway shows:

    [vpnd PID ...]@HostName[Date Time] fwCert_FindCertListAndKey: Entering 
    [vpnd PID ...]@HostName[Date Time] Cert Reqeust got from peer: 
    [vpnd PID ...]@HostName[Date Time] type 4 
    [vpnd PID ...]@HostName[Date Time] CertListAndTypeForModule: cannot find certified key of ICA 
    [vpnd PID ...]@HostName[Date Time] fwisakmp_user_failed_with_auth: enter, reject category 0 
    [vpnd PID ...]@HostName[Date Time] getUserCertificate: fwCert_CertsAndCRLsFromCertInfoList failed 
    [vpnd PID ...]@HostName[Date Time] GetDAGIP: ID ... not in DAIP range 
    [vpnd PID ...]@HostName[Date Time] CFwdCommStreamLocal::Write called 
    [vpnd PID ...]@HostName[Date Time] CFwdCommStreamLocal::Write sent 264 bytes 
    [vpnd PID ...]@HostName[Date Time] RespMMPacketError: error in FWIKE_EXCH_MAIN_MODE - FWIKE_MM_PACKET_6_PROLOGUE
    
Cause

When the Remote Access client does not send certificate request to Security Gateway during IKE Main Mode Packet 3, the Security Gateway tries to find the appropriate certificate for the client. If Security Gateway does not have an ICA, it fails to find the appropriate certificate for the client, and fails the IKE.


Solution
Note: To view this solution you need to Sign In .