topic Re: Cisco AnyConnect falsely reports that Certificate has expired in Network Security

Cisco AnyConnect falsely reports that Certificate has expired

tibor-mraovic — Tue, 21 May 2024 11:54:38 GMT

Hi everyone,

I have a client issue where they claim that Cisco AnyConnect falsely reports that Certificate has expired. When I connect with my own AnyConnect client version 4.10.05111, I do not get this false/positive error. Screenshot attached. Interestingly this has just started to manifest itself after we have changed the active ASA in the cluster. (2 ASA in cluster, active/passive)

Things that I have done/checked:

Checked the certificate string on both active and passive ASA. Both are valid
Told the client to change to a newer AnyConnect client version. Did not help
Told the client to uncheck "Block connections to untrusted servers" within AnyConnect. Did not help
Added this missing line to Cisco ASA: "crypto ikev2 remote-access trustpoint "CERT_NAME"". Did not help

I am at a roadblock and would appreciate if someone can give me some hints on what to check further. Keep in mind that I do not have a lot of experience with troubleshooting AnyConnect/certificate issues.

Please let me know what other information I need to share.

Regards,

Tibor

Re: Cisco AnyConnect falsely reports that Certificate has expired

Marius Gunnerud — Tue, 21 May 2024 12:27:18 GMT

have you checked / verified that the certificate the client is using is valid?

Re: Cisco AnyConnect falsely reports that Certificate has expired

tibor-mraovic — Tue, 21 May 2024 12:37:31 GMT

Hi,

I have not asked them, but I assume they are using the correct one as they had no issues until ASA active change. Also if they are not using the correct certificate, they would not be able to connect after they click "Connect anyway", or am I wrong?

Regards,

Tibor

Re: Cisco AnyConnect falsely reports that Certificate has expired

Marius Gunnerud — Tue, 21 May 2024 12:57:19 GMT

When you say "ASA active change" do you mean a failover or replaced the active ASA?

Unless the certiicate being used is also for authenticating access, access to the ASA will be permitted even if the client has no certificate from the same CA. All that is required is that a certificate is allocated on the ASA internet facing interface for use with RA VPN.

Re: Cisco AnyConnect falsely reports that Certificate has expired

Marvin Rhoads — Tue, 21 May 2024 15:22:56 GMT

Try having them check the FQDN used by AnyConnect in their browser. There you can inspect the actual certificate they are getting and validate the expiration date.

Re: Cisco AnyConnect falsely reports that Certificate has expired

Dustin Anderson — Tue, 21 May 2024 15:30:46 GMT

One other thing is to verify the time/date is correct on the client machine.

Re: Cisco AnyConnect falsely reports that Certificate has expired

tibor-mraovic — Wed, 22 May 2024 05:36:02 GMT

I mean a failover.

How can I check for what is the certificate used on ASA? Which commands can I use? I can paste you the output here if needed. (with hiding sensitive info of course)

Thanks in advance.

Re: Cisco AnyConnect falsely reports that Certificate has expired

tibor-mraovic — Wed, 22 May 2024 05:37:11 GMT

I don't think this would be an issue because everything worked before ASA failover. I will confirm the time with them to be 100% sure, but multiple clients have reported this issue right after we have done ASA failover.

Re: Cisco AnyConnect falsely reports that Certificate has expired

tibor-mraovic — Wed, 22 May 2024 05:37:59 GMT

Do you maybe have a link to a how to guide on how this can be checked?

Re: Cisco AnyConnect falsely reports that Certificate has expired

Marius Gunnerud — Wed, 22 May 2024 06:55:14 GMT

show run crypto | in trustpoint !(look for output similar to "crypto ikev2 remote-access trustpoint <certificate>)

show crypto ca certificates <certificate> !(to see the certificate details)

You might also want to take a look at "show run webvpn" and "show run tunnel-group <anyconnect tunnel-group>" to see if there is something there that might be interfering (remember to replace <anyconnect tunnel-group with the actual tunnel group being used).

Re: Cisco AnyConnect falsely reports that Certificate has expired

tibor-mraovic — Wed, 22 May 2024 07:22:53 GMT

Output of show run crypto | in trustpoint:

crypto ca trustpoint XYZ crypto ikev2 remote-access trustpoint XYZ

Output of show crypto ca certificates XYZ:

Certificate Status: Available Certificate Serial Number: xxxxxxxxxx Certificate Usage: General Purpose Public Key Type: RSA (2048 bits) Signature Algorithm: SHA256 with RSA Encryption Issuer Name: cn=Sectigo RSA Domain Validation Secure Server CA o=Sectigo Limited l=Salford st=Greater Manchester c=GB Subject Name: cn= "wildcard of the FQDN" Validity Date: start date: 02:00:00 CEDT Sep 14 2023 end date: 01:59:59 CEDT Oct 15 2024 Storage: config Associated Trustpoints: XYZ CA Certificate Status: Available Certificate Serial Number: xxxxxxxxxxxxx Certificate Usage: Signature Public Key Type: RSA (2048 bits) Signature Algorithm: SHA384 with RSA Encryption Issuer Name: cn=USERTrust RSA Certification Authority o=The USERTRUST Network l=Jersey City st=New Jersey c=US Subject Name: cn=Sectigo RSA Domain Validation Secure Server CA o=Sectigo Limited l=Salford st=Greater Manchester c=GB OCSP AIA: URL: http://ocsp.usertrust.com CRL Distribution Points: [1] http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl Validity Date: start date: 01:00:00 CEST Nov 2 2018 end date: 00:59:59 CEST Jan 1 2031 Storage: config Associated Trustpoints: XYZ

Output of show run webvpn:

webvpn enable "WAN INTERFACE" enable "MGMT INTERFACE" hsts enable max-age 31536000 include-sub-domains no preload anyconnect image disk0:/anyconnect-win-4.10.07062-webdeploy-k9.pkg 1 anyconnect profiles "CLIENT PROFILE" disk0:/"CLIENT_PROFILE".xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable

Output of show run tunnel-group <anyconnect tunnel-group>:

tunnel-group "name" type remote-access tunnel-group "name" general-attributes **bleep**-pool anyconnect authentication-server-group AAA-RADIUS default-group-policy GroupPolicy_"name" tunnel-group "name" webvpn-attributes group-alias "name" enable

I have noticed that the old certificate was listed under show run crypto | in trustpoint. I have now deleted it, maybe that was the culprit. I have told the client to check the situation now.

Do you see anything strange/weird in my config outputs?

Re: Cisco AnyConnect falsely reports that Certificate has expired

Marius Gunnerud — Wed, 22 May 2024 07:41:01 GMT

Nothing out of the ordinary here. From the looks of it you are using a wildcard certificate, so there should not be any FQDN naming issues. This leads me to believe that perhaps the root CA certificate on the client machines might be outdated. Would you be able to check this?

Re: Cisco AnyConnect falsely reports that Certificate has expired

tibor-mraovic — Wed, 22 May 2024 07:49:26 GMT

Client has just confirmed that from their test machine everything seems fine now. Will confirm with all clients over the next 7 days. It started working when I removed the old certificate under the trustpoint. I will write a summary bellow of what has been done:

Added the new certificate trustpoint as it was never added:

crypto ikev2 remote-access trustpoint "NEW CERT"

No changes after this.

I have removed the old certificate trustpoint:

no crypto ikev2 remote-access trustpoint "OLD CERT"

After this it started working. Client test machine AnyConnect client does not report "Certificate has expired" any more.

One more thing I see is that the OLD CERT is still configured under ca trustpoint:

crypto ca trustpoint "OLD CERT"

Should this also be removed?

Re: Cisco AnyConnect falsely reports that Certificate has expired

Marius Gunnerud — Wed, 22 May 2024 08:14:46 GMT

Yes, remove the old certificate so that it does not clutter up the configuration.

Good to hear that things have started working!

Re: Cisco AnyConnect falsely reports that Certificate has expired

Marius Gunnerud — Thu, 23 May 2024 09:28:19 GMT

I understand that this is what you did to solve your issue, but please rate and select a correct answer for community contributors that helped you reach your final solution. These correct answers and ratings are the reward that we as contributors strive to get as they help us maintain our status within the community.

Re: Cisco AnyConnect falsely reports that Certificate has expired

Marius Gunnerud — Thu, 23 May 2024 10:25:02 GMT

Thank you for the rating.