04-22-2015 11:30 AM - edited 03-11-2019 10:49 PM
This an opportunity to learn about Cisco SSL VPN feature, clientless VPN and Anyconnect remote access client with Mohammad Alhyari.
Monday, April 27th, 2015 to Friday, May 8th, 2015
Mohammad Alhyari is a customer support engineer at the Cisco Technical assistance center in Krakow, Poland. CCIE security #35093 with over 5 years of experience in the security team. Mohammed's area of expertise is security, including VPN, SSL VPN, and IPSEC VPN on the Cisco IOS and Cisco ASA platforms.
Find other https://supportforums.cisco.com/expert-corner/events.
**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions
05-01-2015 08:54 AM
Thanks Marvin for your comments. And Ronald if you have not configured your router for anyconnect then here is a good example to start with :
As Marvin mentioned these are two different client and you have to setup your router for anyconnect.
05-01-2015 12:17 PM
I have a ASA5505. I am failing on my PCI compliancy tests because my device only supports TLSv1.0. I needs to support TLSv1.1 or 1.2 Does anyone know how I can fix this? Is there a software upgrade?
05-01-2015 05:10 PM
Thanks a lot for sharing the question here . Unfortunately TLS1.1 and TLS1.2 are not available for the legacy ASA models listed below :
it is available on the ASA next generation firewalls 5500-X starting with the software version 9.3.2:
"We now support TLS version 1.2 for secure message transmission for ASDM, Clientless SSVPN, and AnyConnect VPN."
05-02-2015 03:22 AM
I have a Cisco 2851 Adventerprise-k9 with the latest cisco anyconnect pkg installed on the router. I am able to get everything to work fine as far as connecting to my private network but I would like to change the self signed cert for one that was purchased from a third party that I would like to insert into the router to make the untrusted servers pop ups go away. Can you provide me with any insight on how to install those 4 certs they provided me with as to how to get them on the router.
05-02-2015 08:38 AM
Hi Mathew ,
For Certificates you have two types :
identity certificate : A certificate that is issued to the device .
CA/Sub-CA certificates: A certificate authority that signs certificate for end points .
Since that you mentioned you have 4 certificates then i'm assuming that you have a chain of certificates . Now to install the certificates let us look at this example :
On cisco Routers and ASAs the certificate is installed in a containter that is called Trustpoint ,one trustpoint contains an identity certificate and another CA certificate Please see the following for the steps to install certificates :
1-if the CSR was generated on the router itself then :
a) authenticate the trustpoint (install the CA certificate) :
crypto pki authenticate <trustpoint name>
<<paste the CA certificate encoded using Base64 PEM>>
b)Import the identity certificate :
crypto pki import <trustpoint name> certificates
2- if the CSR was generated externally then most probably they provided you with a p12/pfx file . and in this case you need to use this command :
cry pki import trustpoint-name pkcs12 terminal pass
you dont need to create the trustpoints, the router will do it automatically .
Finally, you need to configure the ssl gateway to user that trustpoint :
05-06-2015 11:12 AM
We're using anyconnect 4.0 (Linux) to create a certificate based SSL VPN to an ASA 5515-x running 9.2.1. It's working fine and negotiating TLSv1.0 as the protocol.
We need to upgrade the ASA to 9.3.2 to use TLSv1.2 but when we've tried this, the client software displays the Certificate Validation Error message. There is nothing obvious in the logs of the ASA or the client as to why this is failing; we're using the same certificates that work on 9.2.1, and the SSL VPN reconnects fine if we downgrade from 9.3.2 back to 9.2.1.
The client and ASA certificates are RSA 2048 SHA1.
Any thoughts as to why TLSv1.2 negotiation is failing? Is there a way to force the VPN to use TLSv1.0 so that we can upgrade the ASA without breaking the VPN?
05-06-2015 12:49 PM
Several users have reported an issue similar to yours when upgrading to 9.3 and 9.4. Please see this thread for some workarounds (which are noted in the 9.4 release notes)
05-07-2015 01:40 AM
Hi Marvin, Thanks for the reply. I tried the ssl config and steps outlined but it didn't work unfortunately. I tried on 9.4 as well without success.
If we use anyconnect 3.1 the SSL VPN works successfully against 9.3.2 and 9.4, but only at TLS v1.0, and we're trying to get TLS v1.2 working. At least this allows us to upgrade the ASA and have a workaround that lets clients connect for the time being.
05-06-2015 02:58 PM
Hi Charlie ,
Thank you very much for sharing your concerns .
I would like to start with the following :
This is what have been added with 9.4 :
Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated:
But you mentioned you upgraded to 9.3.2 which reminds me with this defect :
ASA 9.3.2 SSL doesn't work with error: %ASA-4-402123: CRYPTO:
Fore more info :
You should see this in the logs :
%ASA-4-402123: CRYPTO: The ASA hardware accelerator encountered an error (Invalid PKCS Type, Pad, or Length, code= 0x1B) while executing the command PKCS1 v1.5 RSA Decrypt with CRT (> 1024 bits) (0x202)."
The following will be useful to get a closer look at what is happening :
1- Packet captures on the ASA for SSL traffic between the client and the ASA in pcap format .
will show what ciphers are we negotiating . what level of the ssl protocol we are reaching . which certs are being sent .
2- ASA logs .
3- Show ssl errors
4- debug cry ca 255 // to see if the client is really sending a cert to the ASA .
5- if you connect from the browser does it work ?
6- a Dart output from the client .
7- Does it work from a windows machine if you have it available .
05-07-2015 03:05 AM
The pcap shows that the ASA sends its certificate to the client, but the client doesn't send its certificate back to the ASA. The ASA is choosing AES256-SHA as the cipher and the only protocol attempted is TLSv1.2.
The ASA logs/debug cry ca 255 backup the pcap information; the client isn't sending its certificate to the ASA and the ASA is negotiating AES256-SHA TLSv1.2.
I've installed the root and sub CA successfully so If I connect via a browser, the browser accepts the ASA certificate and the log in page is displayed. When I log in I get the Certificate Validation Failure message.
I've run a dart output on the client but I'm struggling to see anything useful - where should I be looking?
I don't have a windows machine available unfortunately.
05-07-2015 11:32 AM
Hi Charlie ,
if the client is not sending the certificate . Then let us see what is the ASA requesting :
you should see a certificate request sent by the ASA with a list of the distinguished names that it trusts .
Do you have the pcap captures?
05-07-2015 01:02 PM
Unfortunately I wasn't able to get the captures today and can't get them until tomorrow (0630 UTC), and I'm guessing that this ask the expert feature will have closed before you get a chance to look at them?
Perhaps you could give me a couple of pointers on the following -
Can we negotiate a TLSv1.2 SSL VPN using RSA 2048 SHA1 certificates, or do we need to generate certificates using something like SHA256?
We're not using any connect profiles. I've read a post says that if profiles aren't used then the certificates need to have
Key Usage attributes: Digital Signature, Key Encipherment.
Enhanced Key Usage attributes: Client Authentication
I've done this on the client certificates but not the ASA certificate; do they need to be set on the ASA certificate?
The ASA isn't showing any errors, but the client logs say that no valid certificates can be found in the certificate store. If I downgrade the ASA then the certificates can be used to successfully form the VPN, so I'm at a loss as to why they are ok for TLSv1 but not TLSv1.2 so any other things you can suggest to try/investigate would be much appreciated!
05-07-2015 01:01 AM
Dear Mohammad Alhyari, i hope you will be doing fine,
I have made a VPN connection in windows server 2008 r2, it is working fine when i connected it from inside the network, but outside it is not connecting, please help me that what process should i follow to open the ports in ASA through ASDM,
05-07-2015 11:37 AM
Hi Mazahir ,
Thanks for the participation . The discussion we are having here is for the vpn terminated on the ASA and it looks like in your case the vpn is passing through the ASA to the MS server . I'm not a FW expert but i will try to highlight the few important points :
For SSL VPNs the port is 443 .
For IPSEC usually we deal with :
UDP 500 -- > Isakmp
UDP 4500 -> Nat Traversal
IP protocol 50 - > ESP - Data tunneling
You need to ensure that the server is statically natted on the ASA and that on your server/client NAt-T is enabled .
If that didn't help i suggest to post a thread in the Firewall section .
05-07-2015 03:22 AM
(as you know, by now...) we run the following ASA webvpn setup
- ssl portal support
- anyconnect support
- ldap user authentication with ldap attribute map
- about one hundred DAP
- portal customizations
- smart tunnel
based on a 2 x ASA5510 9.1(5) platform in an active/standby deployment.
For some reason we're committed to migrate this solution to ASAv 9.4
- we got a 9.4(1) image (asa941-smp-k8.bin) but which is the latest recommended ASAv version for production environment?
- which would be an efficient strategy to migrate the "xml" part of the original configuration, mainly the DAP database but everything is exportable, ain't appearing in the "show run"? We're afraid to get into typos manually re-creating all the DAPs.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: