ASA 5506x VPN Phone- Certificate Validation Error

Austin Lutz · ‎07-16-2015

Has anyone had issues with using a self-signed certificate for VPN phones? After following this guide to a "T" I'm getting a certificate validation failure when I access the group-url I am using.

Just to be clear, the phone has already registered to CUCM on the internal network before I took it to an outside network to test. Will be happy to post configs, but I'm just not sure where to go from here. Thanks!

Mohammed al Baqari · ‎07-16-2015

Please post asa vpn configuration.

Austin Lutz · ‎07-16-2015

Mohammed,

Below is the configuration for the VPN Phones. We are currently using this ASA for Remote Access VPN, trying to incorporate VPN phones as well. The certificate was generated on the ASA as a self-signed. When looking at the syslogs throught ASDM, all i'm seeing is "SSL handshake failure"

Attached is a screenshot of the error

ssl trust-point ASDM_TrustPoint2 outside
ssl trust-point ASDM_TrustPoint2 inside

!

webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-macosx-i386-4.1.02011-k9.pkg 1 regex "Intel Mac OS X"
anyconnect image disk0:/anyconnect-win-4.1.02011-k9.pkg 2
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
error-recovery disable

!

group-policy GroupPolicy_SSL internal
group-policy GroupPolicy_SSL attributes
wins-server none
dns-server value 172.16.54.11
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value MYDOMAIN.com

!

tunnel-group SSL webvpn-attributes
authentication certificate
group-alias SSL enable
group-url https://vpn.MYDOMAIN.com/SSL enable

!

tunnel-group SSL ipsec-attributes
ikev1 trust-point ASDM_TrustPoint2

!

crypto ca trustpoint ASDM_TrustPoint2
enrollment self
subject-name CN=vpn.MYDOMAIN.com
crl configure

Austin Lutz · ‎07-17-2015

This has been solved! My issue was actually 2 issues

1 being that the root certificate I was using on the ASA that was imported from CUCM was not correct. The documentation is kind of muddy about which one to use. If doing MIC, you should use Cisco Manufacturing CA SHA 2. After swapping that out, the SSL handshake completed.

http://www.cisco.com/security/pki/

Problem number 2 was a bit embarassing, I noticed in the syslogs, the SSL handshake would complete and then immediately terminate the connection. This was from not setting my TFTP server manually.

jai_chandra2001 · ‎10-15-2015

THanks Austin,

This was the only relevant support discussion for newer Cisco phones using Sha2 signed certs.

When i installed the SHA2 on Cisco ASA I got

CA Certificate
Status: Available
Certificate Serial Number: 02
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
    cn=Cisco Root CA M2
    o=Cisco
Subject Name:
    cn=Cisco Manufacturing CA SHA2
    o=Cisco
CRL Distribution Points:
    [1] http://www.cisco.com/security/pki/crl/crcam2.crl
Validity Date:
    start date: 07:50:58 cst Nov 12 2012
    end   date: 01:32:01 CDT Oct 7 1901
Associated Trustpoints: Test1

Validity is messed up but still it worked!!!

jai_chandra2001 · ‎10-15-2015

Also for 8865/8845, you have to bypass the expressway sign-in before you attempt the VPN connection

I will type it out just in case someone else sees the same issue

To Bypass expressway signin (which says "service domain, username and password")

- Select the settings button and navigate to network-ipv4- and set the Alternate TFTP to yes, and enter the TFTP server1 value(if not populated already). Once done it might ask you to erase the CTL file which is fine.

Next time you boot up the phone it will bypass expressway and attempt the VPN connection directly.