Support Center > Search Results > SecureKnowledge Details
Endpoint Security VPN client using SHA256 certificate from the CAPI store fails to connect to VPN Gateway with "Internal error" message Technical Level
Symptoms
  • Endpoint Security VPN client fails to connect to VPN Gateway with "Internal error" message in the following scenario:

    1. Endpoint Security VPN client is configured for *.P12 certificate authentication
    2. The *.P12 certificate was signed with SHA256
    3. The *.P12 certificate was imported to the CAPI store
  • When the Endpoint Security VPN client is configured for *.P12 certificate authentication, and this *.P12 certificate file (signed with SHA256) is selected directly in the client, then the client is able to connect.

  • If the *.P12 certificate was signed with SHA1 and imported to the CAPI store, then the client is able to connect.

  • Debug of Client (trac.log) while using the SHA256 certificate from the CAPI store, shows:

    fwCAPIPubKey_imp::fwCAPIPubKey_imp: provider = 'Microsoft Enhanced Cryptographic Provider v1.0' container='{...}'
    [] fwCAPIPubKey_imp::SetFlags: CAPI key flags:PUBKEY_PRIVATE + PUBKEY_SIGN + PUBKEY_SOFTWARE.
    [] fwCAPIPubKey_imp::Sign: CAPI sign.
    [] fwCAPIPubKey_imp::Sign: in
    Vista_IsExecutedAsService(), len = 0
    [] CapiUserProcSign::Init: Will get required out buffer length
    [] CapiUserProcSign::DoAction: After wake up process
    [] CapiUserProcPKCS7::TriggerAction: Set Event
    [] CapiUserProcInteract::WaitForProcResponse:CAPI Proc returned with failure
    [] CapiUserProcSign::ActionWaitAndHandleResult: Signing failed
    [] CapiUserProcSign::DoAction: Failed to wait and handle reponse
    fwCAPIPubKey_imp::Sign: Failed to get signed result
    [Rais_CAPICERT] Rais_CAPICERT::capi_cert_sign: Failed to sign buffer
    [Rais_CAPICERT] capi_cert_sign: __end__
    [RunAs] FreeSecurityContextInformation: Ended
    [RunAs] SCRunFuncAsUser: Ended
    [Rais_CAPICERT] CAPICert::Sign: __end__
    [IKE] create_MM5(certificates authentication): Failed to sign hash (-996)
    [DEBUG] [RaisMessages::CreateMessageSet(s)]
    message: (msg_obj
      :format (1.0)
      :id (ClipsMessagesInternalError)
      :def_msg ("Internal error; connection failed. More details may be available in the logs")
      :arguments ()
    )
    
Cause

There are two possible root cases:


Solution
Note: To view this solution you need to Sign In .