Bug 1978280 - error connecting to VPN - A TLS fatal alert has been received
Summary: error connecting to VPN - A TLS fatal alert has been received
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openconnect
Version: 35
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: David Woodhouse
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-07-01 12:51 UTC by piio
Modified: 2022-07-19 09:00 UTC (History)
5 users (show)

Fixed In Version: openconnect-9.01-2.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-07-09 01:23:34 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description piio 2021-07-01 12:51:02 UTC
Description of problem:
I have troubles to connect to VPN SSL connection failure: A TLS fatal alert has been received.

I'm using arguments:
openconnect vpndnsname --protocol=anyconnect --servercert sha1:sha1fingerprint --cafile cert.pem --certificate cert.pem -k cert.key

POST https://vpndnsname/
Connected to XXX.XXX.XXX.XXX:443
Enter PEM pass phrase:
Using client certificate 'PERSONAL CERT'
SSL negotiation with vpndnsname
Connected to HTTPS on vpndnsname with ciphersuite (TLS1.0)-(DHE-CUSTOM1024)-(AES-128-CBC)-(SHA1)
POST https://vpndnsname/
SSL negotiation with vpndnsname
SSL connection failure: A TLS fatal alert has been received.
Failed to open HTTPS connection to vpndnsname
Failed to obtain WebVPN cookie


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Ben Cotton 2021-08-10 13:10:36 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 35 development cycle.
Changing version to 35.

Comment 2 Denis 2022-01-30 17:03:39 UTC
I too have the same problem and found a solution.

As a temporary solution, you can use this: https://copr.fedorainfracloud.org/coprs/dwmw2/openconnect/

solution: https://gitlab.com/openconnect/openconnect/-/issues/189

Comment 3 Daniel Lenski 2022-01-30 22:28:05 UTC
This is a consequence of https://bugzilla.redhat.com/show_bug.cgi?id=1960763, and it has already been mitigated in OpenConnect source and will be in the next release (as I explained in https://gitlab.com/openconnect/openconnect/-/issues/189#note_825918571).

Comment 4 Fedora Update System 2022-07-05 06:30:37 UTC
FEDORA-2022-7b0198079d has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-7b0198079d

Comment 5 Fedora Update System 2022-07-06 02:15:47 UTC
FEDORA-2022-7b0198079d has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-7b0198079d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-7b0198079d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2022-07-09 01:23:34 UTC
FEDORA-2022-7b0198079d has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 7 aborniak 2022-07-14 13:57:42 UTC
It looks like FEDORA-2022-7b0198079d didn't fix an issue.

```
[root@aborniakFC ~]# rpm -qa | grep openconnect
openconnect-9.01-2.fc36.x86_64
NetworkManager-openconnect-1.2.8-2.fc36.x86_64
[root@aborniakFC ~]#
```


```
[root@aborniakFC ~]# openconnect --version
OpenConnect version v9.01
Using GnuTLS 3.7.6. Features present: TPM, TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): /etc/vpnc/vpnc-script
[root@aborniakFC ~]#
```

```
[root@aborniakFC ~]# openconnect --disable-ipv6 --printcookie --dump-http-traffic -v --gnutls-debug=99 testvpnserver.com
FIPS140-2 context is not set
FIPS140-2 context is not set
FIPS140-2 context is not set
FIPS140-2 context is not set
ASSERT: mpi.c[wrap_nettle_mpi_print]:60
ASSERT: mpi.c[wrap_nettle_mpi_print]:60
FIPS140-2 context is not set
FIPS140-2 context is not set
FIPS140-2 context is not set
ASSERT: mpi.c[wrap_nettle_mpi_print]:60
FIPS140-2 context is not set
FIPS140-2 context is not set
FIPS140-2 context is not set
FIPS140-2 context is not set
ASSERT: mpi.c[wrap_nettle_mpi_print]:60
ASSERT: mpi.c[wrap_nettle_mpi_print]:60
FIPS140-2 context is not set
FIPS140-2 context is not set
FIPS140-2 context is not set
ASSERT: mpi.c[wrap_nettle_mpi_print]:60
POST https://testvpnserver.com/
Attempting to connect to server 1.1.1.1:443
Connected to 130.117.225.6:443
Initializing needed PKCS #11 modules
p11: Initializing module: p11-kit-trust
p11: No login requested.
p11 attrs: CKA_CLASS (CERT), CKA_CERTIFICATE_TYPE
p11 attrs: CKA_TRUSTED
p11 attrs: CKA_CERTIFICATE_CATEGORY=CA
p11: No login requested.
p11 attrs: CKA_CLASS (CERT), CKA_CERTIFICATE_TYPE
p11 attrs: CKA_TRUSTED
p11 attrs: CKA_CERTIFICATE_CATEGORY=CA
ASSERT: pkcs11.c[find_multi_objs_cb]:3136
ASSERT: pkcs11.c[gnutls_pkcs11_obj_list_import_url3]:3465
REC[0x561f51635080]: Allocating epoch #0
cfg: system priority /etc/crypto-policies/back-ends/gnutls.config has not changed
cfg: finalized system-wide priority string
resolved 'OPENCONNECT' to '', next 'SYSTEM'
resolved 'SYSTEM' to 'NONE:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+GROUP-X25519:+GROUP-X448:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-SECP521R1:+GROUP-FFDHE2048:+GROUP-FFDHE3072:+GROUP-FFDHE4096:+GROUP-FFDHE6144:+GROUP-FFDHE8192:+AES-256-GCM:+AES-256-CCM:+CHACHA20-POLY1305:+AES-256-CBC:+AES-128-GCM:+AES-128-CCM:+AES-128-CBC:+AEAD:+SHA1:+SHA512:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SECP521R1-SHA512:+SIGN-EdDSA-Ed25519:+SIGN-EdDSA-Ed448:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-DTLS1.2', next ''
selected priority string: NONE:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+GROUP-X25519:+GROUP-X448:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-SECP521R1:+GROUP-FFDHE2048:+GROUP-FFDHE3072:+GROUP-FFDHE4096:+GROUP-FFDHE6144:+GROUP-FFDHE8192:+AES-256-GCM:+AES-256-CCM:+CHACHA20-POLY1305:+AES-256-CBC:+AES-128-GCM:+AES-128-CCM:+AES-128-CBC:+AEAD:+SHA1:+SHA512:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SECP521R1-SHA512:+SIGN-EdDSA-Ed25519:+SIGN-EdDSA-Ed448:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-DTLS1.2:%COMPAT:-3DES-CBC:-ARCFOUR-128
added 3 protocols, 29 ciphersuites, 17 sig algos and 10 groups into priority list
SSL negotiation with testvpnserver.com
REC[0x561f51635080]: Allocating epoch #1
HSK[0x561f51635080]: Adv. version: 3.3
FIPS140-2 context is not set
FIPS140-2 context is not set
Keeping ciphersuite 13.02 (GNUTLS_AES_256_GCM_SHA384)
Keeping ciphersuite 13.03 (GNUTLS_CHACHA20_POLY1305_SHA256)
Keeping ciphersuite 13.01 (GNUTLS_AES_128_GCM_SHA256)
Keeping ciphersuite 13.04 (GNUTLS_AES_128_CCM_SHA256)
Keeping ciphersuite c0.30 (GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384)
Keeping ciphersuite cc.a8 (GNUTLS_ECDHE_RSA_CHACHA20_POLY1305)
Keeping ciphersuite c0.14 (GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1)
Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256)
Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1)
Keeping ciphersuite c0.2c (GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384)
Keeping ciphersuite c0.ad (GNUTLS_ECDHE_ECDSA_AES_256_CCM)
Keeping ciphersuite cc.a9 (GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305)
Keeping ciphersuite c0.0a (GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1)
Keeping ciphersuite c0.2b (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256)
Keeping ciphersuite c0.ac (GNUTLS_ECDHE_ECDSA_AES_128_CCM)
Keeping ciphersuite c0.09 (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1)
Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384)
Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM)
Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1)
Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256)
Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM)
Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1)
Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384)
Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM)
Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305)
Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1)
Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256)
Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM)
Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1)
EXT[0x561f51635080]: Preparing extension (OCSP Status Request/5) for 'client hello'
EXT[0x561f51635080]: Sending extension OCSP Status Request/5 (5 bytes)
EXT[0x561f51635080]: Preparing extension (Client Certificate Type/19) for 'client hello'
EXT[0x561f51635080]: Preparing extension (Server Certificate Type/20) for 'client hello'
EXT[0x561f51635080]: Preparing extension (Supported Groups/10) for 'client hello'
EXT[0x561f51635080]: Sent group X25519 (0x1d)
EXT[0x561f51635080]: Sent group X448 (0x1e)
EXT[0x561f51635080]: Sent group SECP256R1 (0x17)
EXT[0x561f51635080]: Sent group SECP384R1 (0x18)
EXT[0x561f51635080]: Sent group SECP521R1 (0x19)
EXT[0x561f51635080]: Sent group FFDHE2048 (0x100)
EXT[0x561f51635080]: Sent group FFDHE3072 (0x101)
EXT[0x561f51635080]: Sent group FFDHE4096 (0x102)
EXT[0x561f51635080]: Sent group FFDHE6144 (0x103)
EXT[0x561f51635080]: Sent group FFDHE8192 (0x104)
EXT[0x561f51635080]: Sending extension Supported Groups/10 (22 bytes)
EXT[0x561f51635080]: Preparing extension (Supported EC Point Formats/11) for 'client hello'
EXT[0x561f51635080]: Sending extension Supported EC Point Formats/11 (2 bytes)
EXT[0x561f51635080]: Preparing extension (SRP/12) for 'client hello'
EXT[0x561f51635080]: Preparing extension (Signature Algorithms/13) for 'client hello'
EXT[0x561f51635080]: sent signature algo (4.3) ECDSA-SHA256
EXT[0x561f51635080]: sent signature algo (5.3) ECDSA-SHA384
EXT[0x561f51635080]: sent signature algo (6.3) ECDSA-SHA512
EXT[0x561f51635080]: sent signature algo (8.7) EdDSA-Ed25519
EXT[0x561f51635080]: sent signature algo (8.8) EdDSA-Ed448
EXT[0x561f51635080]: sent signature algo (8.9) RSA-PSS-SHA256
EXT[0x561f51635080]: sent signature algo (8.10) RSA-PSS-SHA384
EXT[0x561f51635080]: sent signature algo (8.11) RSA-PSS-SHA512
EXT[0x561f51635080]: sent signature algo (8.4) RSA-PSS-RSAE-SHA256
EXT[0x561f51635080]: sent signature algo (8.5) RSA-PSS-RSAE-SHA384
EXT[0x561f51635080]: sent signature algo (8.6) RSA-PSS-RSAE-SHA512
EXT[0x561f51635080]: sent signature algo (4.1) RSA-SHA256
EXT[0x561f51635080]: sent signature algo (5.1) RSA-SHA384
EXT[0x561f51635080]: sent signature algo (6.1) RSA-SHA512
EXT[0x561f51635080]: Sending extension Signature Algorithms/13 (30 bytes)
EXT[0x561f51635080]: Preparing extension (SRTP/14) for 'client hello'
EXT[0x561f51635080]: Preparing extension (Heartbeat/15) for 'client hello'
EXT[0x561f51635080]: Preparing extension (ALPN/16) for 'client hello'
EXT[0x561f51635080]: Preparing extension (Encrypt-then-MAC/22) for 'client hello'
EXT[0x561f51635080]: Preparing extension (Extended Master Secret/23) for 'client hello'
EXT[0x561f51635080]: Preparing extension (Session Ticket/35) for 'client hello'
EXT[0x561f51635080]: Sending extension Session Ticket/35 (0 bytes)
EXT[0x561f51635080]: Preparing extension (Key Share/51) for 'client hello'
EXT[0x561f51635080]: sending key share for X25519
FIPS140-2 context is not set
FIPS140-2 context is not set
EXT[0x561f51635080]: sending key share for SECP256R1
FIPS140-2 context is not set
FIPS140-2 context is not set
FIPS140-2 context is not set
ASSERT: mpi.c[wrap_nettle_mpi_print]:60
ASSERT: mpi.c[wrap_nettle_mpi_print]:60
FIPS140-2 context is not set
FIPS140-2 context is not set
FIPS140-2 context is not set
EXT[0x561f51635080]: Sending extension Key Share/51 (107 bytes)
EXT[0x561f51635080]: Preparing extension (Supported Versions/43) for 'client hello'
Advertizing version 3.4
Advertizing version 3.3
EXT[0x561f51635080]: Sending extension Supported Versions/43 (5 bytes)
EXT[0x561f51635080]: Preparing extension (Post Handshake Auth/49) for 'client hello'
EXT[0x561f51635080]: Preparing extension (Safe Renegotiation/65281) for 'client hello'
EXT[0x561f51635080]: Sending extension Safe Renegotiation/65281 (1 bytes)
EXT[0x561f51635080]: Preparing extension (Server Name Indication/0) for 'client hello'
HSK[0x561f51635080]: sent server name: 'testvpnserver.com'
EXT[0x561f51635080]: Sending extension Server Name Indication/0 (25 bytes)
EXT[0x561f51635080]: Preparing extension (Cookie/44) for 'client hello'
EXT[0x561f51635080]: Preparing extension (Early Data/42) for 'client hello'
EXT[0x561f51635080]: Preparing extension (PSK Key Exchange Modes/45) for 'client hello'
EXT[0x561f51635080]: Sending extension PSK Key Exchange Modes/45 (3 bytes)
EXT[0x561f51635080]: Preparing extension (Record Size Limit/28) for 'client hello'
EXT[0x561f51635080]: Sending extension Record Size Limit/28 (2 bytes)
EXT[0x561f51635080]: Preparing extension (Maximum Record Size/1) for 'client hello'
EXT[0x561f51635080]: Preparing extension (Compress Certificate/27) for 'client hello'
EXT[0x561f51635080]: Preparing extension (ClientHello Padding/21) for 'client hello'
EXT[0x561f51635080]: Sending extension ClientHello Padding/21 (127 bytes)
EXT[0x561f51635080]: Preparing extension (Pre Shared Key/41) for 'client hello'
HSK[0x561f51635080]: CLIENT HELLO was queued [512 bytes]
HWRITE: enqueued [CLIENT HELLO] 512. Total 512 bytes.
HWRITE FLUSH: 512 bytes in buffer.
REC[0x561f51635080]: Preparing Packet Handshake(22) with length: 512 and min pad: 0
ENC[0x561f51635080]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
WRITE: enqueued 517 bytes for 0x6. Total 517 bytes.
REC[0x561f51635080]: Sent Packet[1] Handshake(22) in epoch 0 and length: 517
HWRITE: wrote 1 bytes, 0 bytes left.
WRITE FLUSH: 517 bytes in buffer.
WRITE: wrote 517 bytes, 0 bytes left.
ASSERT: buffers.c[get_last_packet]:1185
READ: Got 5 bytes from 0x6
READ: read 5 bytes from 0x6
RB: Have 0 bytes into buffer. Adding 5 bytes.
RB: Requested 5 bytes
REC[0x561f51635080]: SSL 3.3 Alert packet received. Epoch 0, length: 2
REC[0x561f51635080]: Expected Packet Handshake(22)
REC[0x561f51635080]: Received Packet Alert(21) with length: 2
READ: Got 2 bytes from 0x6
READ: read 2 bytes from 0x6
RB: Have 5 bytes into buffer. Adding 2 bytes.
RB: Requested 7 bytes
REC[0x561f51635080]: Decrypted Packet[0] Alert(21) with length: 2
REC[0x561f51635080]: Alert[2|40] - Handshake failed - was received
ASSERT: record.c[record_add_to_buffers]:903
ASSERT: record.c[record_add_to_buffers]:909
ASSERT: record.c[_gnutls_recv_in_buffers]:1589
ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1467
ASSERT: handshake.c[_gnutls_recv_handshake]:1600
ASSERT: handshake.c[handshake_client]:3067
BUF[HSK]: Emptied buffer
SSL connection failure: A TLS fatal alert has been received.
BUF[HSK]: Emptied buffer
REC[0x561f51635080]: Start of epoch cleanup
REC[0x561f51635080]: End of epoch cleanup
REC[0x561f51635080]: Epoch #0 freed
REC[0x561f51635080]: Epoch #1 freed
Failed to open HTTPS connection to testvpnserver.com
Failed to complete authentication
[root@aborniakFC ~]#
```

This is shourt version without debug.

```
[root@aborniakFC ~]# openconnect testvpnserver.com
POST https://testvpnserver.com/
Connected to 1.1.1.1:443
SSL negotiation with testvpnserver.com
SSL connection failure: A TLS fatal alert has been received.
Failed to open HTTPS connection to testvpnserver.com
Failed to complete authentication
[root@aborniakFC ~]#
```

Comment 8 Nikos Mavrogiannopoulos 2022-07-15 06:17:06 UTC
The server has closed the connection for some reason but this is not clear from the log. Try the following:
 - switch crypto policies to legacy
 - run gnutls-cli-debug on the server

I suspect the server cannot handle a TLS 1.3 client.

Comment 9 aborniak 2022-07-15 07:27:40 UTC
>switch crypto policies to legacy
I have tried it - the output/result was the same. 

>run gnutls-cli-debug on the server

```
[root@aborniakFC ~]# gnutls-cli-debug testvpnserver.com
GnuTLS debug client 3.7.6
Checking testvpnserver.com:443
whether the server accepts default record size (512 bytes)... no
                  whether %ALLOW_SMALL_RECORDS is required... no
                        whether we need to disable TLS 1.2... yes
                        whether we need to disable TLS 1.1... yes
                        whether we need to disable TLS 1.0... yes
                             for TLS 1.0 (RFC2246) support... no
 for TLS 1.0 (RFC2246) support with TLS 1.0 record version... no
                             for TLS 1.1 (RFC4346) support... no
                                  fallback from TLS 1.1 to... failed
                             for TLS 1.2 (RFC5246) support... no
                             for TLS 1.3 (RFC8446) support... no
                    for known TLS or SSL protocols support... no
[root@aborniakFC ~]#
```

Comment 10 Nikos Mavrogiannopoulos 2022-07-17 05:05:34 UTC
This seems like a server with very special needs. You may want to debug this with the administrators of the server.

Comment 11 aborniak 2022-07-18 08:28:02 UTC
The server is based on Cisco ASA. I am not sure that I can contact the administrator of the server. 
In any case, Thank you for your support and advice. 
Have a nice day.

Comment 12 Daniel Lenski 2022-07-18 16:39:42 UTC
This server appears strikingly similar to the server I was studying when I wrote these GnuTLS MRs:

https://gitlab.com/gnutls/gnutls/-/merge_requests/1221
https://gitlab.com/gnutls/gnutls/-/merge_requests/1251

In order to connect to it (see https://gitlab.com/openconnect/openconnect/-/issues/145#note_344021686), I had to use the following command-line to ensure that GnuTLS would only try SSLv3 and TLSv1.0 _without extensions_, and would only offer the 3DES and RC4 ciphers:

openconnect --allow-insecure-crypto --gnutls-priority "NONE:+VERS-SSL3.0:+VERS-TLS1.0:%NO_EXTENSIONS:%SSL3_RECORD_VERSION:+3DES-CBC:+ARCFOUR-128:+MD5:+SHA1:+COMP-ALL:+KX-ALL" ancient.vpn.server.com

(Needless to say, this configuration is extremely insecure.)

Comment 13 aborniak 2022-07-19 09:00:53 UTC
Hello Daniel,
Thank you for your reply. 
The specified command doesn't work for me, I get the same error.
I am pretty sure that a firmware update on Cisco ASA will fix this issue. 
I put an update when it is done.


Note You need to log in before you can comment on or make changes to this bug.