05-21-2024 04:54 AM
Hi everyone,
I have a client issue where they claim that Cisco AnyConnect falsely reports that Certificate has expired. When I connect with my own AnyConnect client version 4.10.05111, I do not get this false/positive error. Screenshot attached. Interestingly this has just started to manifest itself after we have changed the active ASA in the cluster. (2 ASA in cluster, active/passive)
Things that I have done/checked:
I am at a roadblock and would appreciate if someone can give me some hints on what to check further. Keep in mind that I do not have a lot of experience with troubleshooting AnyConnect/certificate issues.
Please let me know what other information I need to share.
Regards,
Tibor
Solved! Go to Solution.
05-21-2024 11:55 PM
show run crypto | in trustpoint !(look for output similar to "crypto ikev2 remote-access trustpoint <certificate>)
show crypto ca certificates <certificate> !(to see the certificate details)
You might also want to take a look at "show run webvpn" and "show run tunnel-group <anyconnect tunnel-group>" to see if there is something there that might be interfering (remember to replace <anyconnect tunnel-group with the actual tunnel group being used).
05-22-2024 12:49 AM
Client has just confirmed that from their test machine everything seems fine now. Will confirm with all clients over the next 7 days. It started working when I removed the old certificate under the trustpoint. I will write a summary bellow of what has been done:
Added the new certificate trustpoint as it was never added:
crypto ikev2 remote-access trustpoint "NEW CERT"
No changes after this.
I have removed the old certificate trustpoint:
no crypto ikev2 remote-access trustpoint "OLD CERT"
After this it started working. Client test machine AnyConnect client does not report "Certificate has expired" any more.
One more thing I see is that the OLD CERT is still configured under ca trustpoint:
crypto ca trustpoint "OLD CERT"
Should this also be removed?
05-21-2024 05:27 AM
have you checked / verified that the certificate the client is using is valid?
05-21-2024 05:37 AM
Hi,
I have not asked them, but I assume they are using the correct one as they had no issues until ASA active change. Also if they are not using the correct certificate, they would not be able to connect after they click "Connect anyway", or am I wrong?
Regards,
Tibor
05-21-2024 05:57 AM
When you say "ASA active change" do you mean a failover or replaced the active ASA?
Unless the certiicate being used is also for authenticating access, access to the ASA will be permitted even if the client has no certificate from the same CA. All that is required is that a certificate is allocated on the ASA internet facing interface for use with RA VPN.
05-21-2024 10:36 PM
I mean a failover.
How can I check for what is the certificate used on ASA? Which commands can I use? I can paste you the output here if needed. (with hiding sensitive info of course)
Thanks in advance.
05-21-2024 11:55 PM
show run crypto | in trustpoint !(look for output similar to "crypto ikev2 remote-access trustpoint <certificate>)
show crypto ca certificates <certificate> !(to see the certificate details)
You might also want to take a look at "show run webvpn" and "show run tunnel-group <anyconnect tunnel-group>" to see if there is something there that might be interfering (remember to replace <anyconnect tunnel-group with the actual tunnel group being used).
05-22-2024 12:22 AM
Output of show run crypto | in trustpoint:
crypto ca trustpoint XYZ
crypto ikev2 remote-access trustpoint XYZ
Output of show crypto ca certificates XYZ:
Certificate
Status: Available
Certificate Serial Number: xxxxxxxxxx
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=Sectigo RSA Domain Validation Secure Server CA
o=Sectigo Limited
l=Salford
st=Greater Manchester
c=GB
Subject Name:
cn= "wildcard of the FQDN"
Validity Date:
start date: 02:00:00 CEDT Sep 14 2023
end date: 01:59:59 CEDT Oct 15 2024
Storage: config
Associated Trustpoints: XYZ
CA Certificate
Status: Available
Certificate Serial Number: xxxxxxxxxxxxx
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA384 with RSA Encryption
Issuer Name:
cn=USERTrust RSA Certification Authority
o=The USERTRUST Network
l=Jersey City
st=New Jersey
c=US
Subject Name:
cn=Sectigo RSA Domain Validation Secure Server CA
o=Sectigo Limited
l=Salford
st=Greater Manchester
c=GB
OCSP AIA:
URL: http://ocsp.usertrust.com
CRL Distribution Points:
[1] http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
Validity Date:
start date: 01:00:00 CEST Nov 2 2018
end date: 00:59:59 CEST Jan 1 2031
Storage: config
Associated Trustpoints: XYZ
Output of show run webvpn:
webvpn
enable "WAN INTERFACE"
enable "MGMT INTERFACE"
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect image disk0:/anyconnect-win-4.10.07062-webdeploy-k9.pkg 1
anyconnect profiles "CLIENT PROFILE" disk0:/"CLIENT_PROFILE".xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
Output of show run tunnel-group <anyconnect tunnel-group>:
tunnel-group "name" type remote-access
tunnel-group "name" general-attributes
**bleep**-pool anyconnect
authentication-server-group AAA-RADIUS
default-group-policy GroupPolicy_"name"
tunnel-group "name" webvpn-attributes
group-alias "name" enable
I have noticed that the old certificate was listed under show run crypto | in trustpoint. I have now deleted it, maybe that was the culprit. I have told the client to check the situation now.
Do you see anything strange/weird in my config outputs?
05-22-2024 12:41 AM
Nothing out of the ordinary here. From the looks of it you are using a wildcard certificate, so there should not be any FQDN naming issues. This leads me to believe that perhaps the root CA certificate on the client machines might be outdated. Would you be able to check this?
05-22-2024 12:49 AM
Client has just confirmed that from their test machine everything seems fine now. Will confirm with all clients over the next 7 days. It started working when I removed the old certificate under the trustpoint. I will write a summary bellow of what has been done:
Added the new certificate trustpoint as it was never added:
crypto ikev2 remote-access trustpoint "NEW CERT"
No changes after this.
I have removed the old certificate trustpoint:
no crypto ikev2 remote-access trustpoint "OLD CERT"
After this it started working. Client test machine AnyConnect client does not report "Certificate has expired" any more.
One more thing I see is that the OLD CERT is still configured under ca trustpoint:
crypto ca trustpoint "OLD CERT"
Should this also be removed?
05-22-2024 01:14 AM
Yes, remove the old certificate so that it does not clutter up the configuration.
Good to hear that things have started working!
05-23-2024 02:28 AM
I understand that this is what you did to solve your issue, but please rate and select a correct answer for community contributors that helped you reach your final solution. These correct answers and ratings are the reward that we as contributors strive to get as they help us maintain our status within the community.
05-23-2024 03:25 AM
Thank you for the rating.
05-21-2024 08:22 AM
Try having them check the FQDN used by AnyConnect in their browser. There you can inspect the actual certificate they are getting and validate the expiration date.
05-21-2024 10:37 PM
Do you maybe have a link to a how to guide on how this can be checked?
05-21-2024 08:30 AM
One other thing is to verify the time/date is correct on the client machine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide