Anyconnect connection with certificate error

iancresswell · ‎01-30-2019

We are migrating from our ASA5520's to FPR-2110 for Anyconnect.

I have set up a standalone gateway which I can connect to and authenticate against using certificates.

I have another site where I am running the same config only there are two FPR-2110's there which are clustered and I cannot authenticate against these using certificates.

If I remove the need for certificates I can connect fine to the cluster.

Certificates are valid

Some debugs off the failing gateway:

Jan 30 2019 13:49:10: %ASA-7-725012: Device chooses cipher ECDHE-RSA-AES256-GCM-SHA384 for the SSL session with client outside:A.B.C.D/14018 to A.B.E.F/443
Jan 30 2019 13:49:10: %ASA-6-725016: Device selects trust-point Public_New for client outside:A.B.C.D/14018 to A.B.E.F/443
Jan 30 2019 13:49:10: %ASA-7-725017: No certificates received during the handshake with client outside:A.B.C.D/14018 to A.B.E.F/443 for DTLSv1 session
Jan 30 2019 13:49:10: %ASA-6-725002: Device completed SSL handshake with client outside:A.B.C.D/14018 to A.B.E.F/443 for TLSv1.2 session
Jan 30 2019 13:49:10: %ASA-6-725007: SSL session with client outside:A.B.C.D/14018 to A.B.E.F/443 terminated
Jan 30 2019 13:49:11: %ASA-6-302014: Teardown TCP connection 53661 for outside:A.B.C.D/14018 to identity:A.B.E.F/443 duration 0:00:00 bytes 5559 TCP Reset-I from identity

I used the same client to connect to both gateways, works on one and not the other, configs are almost identical apart from the fact that one is a cluster.

iancresswell · ‎01-30-2019

Just to add, when I do try connect I get a error message "Certificate Validation Failure"

matty-boy · ‎01-30-2019

Are all your clocks synced up with NTP?

iancresswell · ‎01-30-2019

yes both appliances are in Sync with NTP

Rahul Govindan · ‎01-30-2019

How are you selecting the client certificate to be sent to the gateway? Do you have an AnyConnect client profile? if yes, is it configured with cert matching criterion?

Without the profile, the way the client cert is chosen is dependent on the gateway certs. During SSL transaction, the gateway sends a cert request along with its own certificate. This tells the client to look for a certificate with the same issuer as the gateway. From your logs, it looks like the client does not send any certs, possibly because it did not find any. So this brings me to the question: Are the certs on both gateways issued by the same CA?

iancresswell · ‎01-31-2019

Yes, both gateways have certificates issued by our internal CA. I have double checked and both have the same root cert and a valid cert issued to the gateway.

As you say the client does not appear to be sending a cert.

The only difference between the two gateways is one is a standalone and the other is part of an HA pair.

Fernando Sacristan Navarro · ‎01-29-2020

Hi Ian,

Did you find the root cause of the issue?

Thanks

iancresswell · ‎04-14-2020

Sorry for the late reply.

I had to add an entry to the local xml profile on the windows machine to include the new gateway, once I did this and could select it from the drop down list the certificate errors went away.