Solved: Cisco AnyConnect falsely reports that Certificate has expired

tibor-mraovic · ‎05-21-2024

Hi everyone,

I have a client issue where they claim that Cisco AnyConnect falsely reports that Certificate has expired. When I connect with my own AnyConnect client version 4.10.05111, I do not get this false/positive error. Screenshot attached. Interestingly this has just started to manifest itself after we have changed the active ASA in the cluster. (2 ASA in cluster, active/passive)

Things that I have done/checked:

Checked the certificate string on both active and passive ASA. Both are valid
Told the client to change to a newer AnyConnect client version. Did not help
Told the client to uncheck "Block connections to untrusted servers" within AnyConnect. Did not help
Added this missing line to Cisco ASA: "crypto ikev2 remote-access trustpoint "CERT_NAME"". Did not help

I am at a roadblock and would appreciate if someone can give me some hints on what to check further. Keep in mind that I do not have a lot of experience with troubleshooting AnyConnect/certificate issues.

Please let me know what other information I need to share.

Regards,

Tibor

Marius Gunnerud · ‎05-21-2024

show run crypto | in trustpoint !(look for output similar to "crypto ikev2 remote-access trustpoint <certificate>)

show crypto ca certificates <certificate> !(to see the certificate details)

You might also want to take a look at "show run webvpn" and "show run tunnel-group <anyconnect tunnel-group>" to see if there is something there that might be interfering (remember to replace <anyconnect tunnel-group with the actual tunnel group being used).

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

tibor-mraovic · ‎05-22-2024

Client has just confirmed that from their test machine everything seems fine now. Will confirm with all clients over the next 7 days. It started working when I removed the old certificate under the trustpoint. I will write a summary bellow of what has been done:

Added the new certificate trustpoint as it was never added:

crypto ikev2 remote-access trustpoint "NEW CERT"

No changes after this.

I have removed the old certificate trustpoint:

no crypto ikev2 remote-access trustpoint "OLD CERT"

After this it started working. Client test machine AnyConnect client does not report "Certificate has expired" any more.

One more thing I see is that the OLD CERT is still configured under ca trustpoint:

crypto ca trustpoint "OLD CERT"

Should this also be removed?

View solution in original post

Marius Gunnerud · ‎05-21-2024

have you checked / verified that the certificate the client is using is valid?

--
Please remember to select a correct answer and rate helpful posts

tibor-mraovic · ‎05-21-2024

Hi,

I have not asked them, but I assume they are using the correct one as they had no issues until ASA active change. Also if they are not using the correct certificate, they would not be able to connect after they click "Connect anyway", or am I wrong?

Regards,

Tibor

Marius Gunnerud · ‎05-21-2024

When you say "ASA active change" do you mean a failover or replaced the active ASA?

Unless the certiicate being used is also for authenticating access, access to the ASA will be permitted even if the client has no certificate from the same CA. All that is required is that a certificate is allocated on the ASA internet facing interface for use with RA VPN.

--
Please remember to select a correct answer and rate helpful posts

tibor-mraovic · ‎05-21-2024

I mean a failover.

How can I check for what is the certificate used on ASA? Which commands can I use? I can paste you the output here if needed. (with hiding sensitive info of course)

Thanks in advance.

Marius Gunnerud · ‎05-21-2024

show run crypto | in trustpoint !(look for output similar to "crypto ikev2 remote-access trustpoint <certificate>)

show crypto ca certificates <certificate> !(to see the certificate details)

You might also want to take a look at "show run webvpn" and "show run tunnel-group <anyconnect tunnel-group>" to see if there is something there that might be interfering (remember to replace <anyconnect tunnel-group with the actual tunnel group being used).

--
Please remember to select a correct answer and rate helpful posts

tibor-mraovic · ‎05-22-2024

Output of show run crypto | in trustpoint:

crypto ca trustpoint XYZ
crypto ikev2 remote-access trustpoint XYZ

Output of show crypto ca certificates XYZ:

Certificate
  Status: Available
  Certificate Serial Number: xxxxxxxxxx
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA256 with RSA Encryption
  Issuer Name:
    cn=Sectigo RSA Domain Validation Secure Server CA
    o=Sectigo Limited
    l=Salford
    st=Greater Manchester
    c=GB
  Subject Name:
    cn= "wildcard of the FQDN"
  Validity Date:
    start date: 02:00:00 CEDT Sep 14 2023
    end   date: 01:59:59 CEDT Oct 15 2024
  Storage: config
  Associated Trustpoints: XYZ

CA Certificate
  Status: Available
  Certificate Serial Number: xxxxxxxxxxxxx
  Certificate Usage: Signature
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA384 with RSA Encryption
  Issuer Name:
    cn=USERTrust RSA Certification Authority
    o=The USERTRUST Network
    l=Jersey City
    st=New Jersey
    c=US
  Subject Name:
    cn=Sectigo RSA Domain Validation Secure Server CA
    o=Sectigo Limited
    l=Salford
    st=Greater Manchester
    c=GB
  OCSP AIA:
    URL: http://ocsp.usertrust.com
  CRL Distribution Points:
    [1]  http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
  Validity Date:
    start date: 01:00:00 CEST Nov 2 2018
    end   date: 00:59:59 CEST Jan 1 2031
  Storage: config
  Associated Trustpoints: XYZ

Output of show run webvpn:

webvpn
 enable "WAN INTERFACE"
 enable "MGMT INTERFACE"
 hsts
  enable
  max-age 31536000
  include-sub-domains
  no preload
 anyconnect image disk0:/anyconnect-win-4.10.07062-webdeploy-k9.pkg 1
 anyconnect profiles "CLIENT PROFILE" disk0:/"CLIENT_PROFILE".xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable

Output of show run tunnel-group <anyconnect tunnel-group>:

tunnel-group "name" type remote-access
tunnel-group "name" general-attributes
 **bleep**-pool anyconnect
 authentication-server-group AAA-RADIUS
 default-group-policy GroupPolicy_"name"
tunnel-group "name" webvpn-attributes
 group-alias "name" enable

I have noticed that the old certificate was listed under show run crypto | in trustpoint. I have now deleted it, maybe that was the culprit. I have told the client to check the situation now.

Do you see anything strange/weird in my config outputs?

Marius Gunnerud · ‎05-22-2024

Nothing out of the ordinary here. From the looks of it you are using a wildcard certificate, so there should not be any FQDN naming issues. This leads me to believe that perhaps the root CA certificate on the client machines might be outdated. Would you be able to check this?

--
Please remember to select a correct answer and rate helpful posts

tibor-mraovic · ‎05-22-2024

Client has just confirmed that from their test machine everything seems fine now. Will confirm with all clients over the next 7 days. It started working when I removed the old certificate under the trustpoint. I will write a summary bellow of what has been done:

Added the new certificate trustpoint as it was never added:

crypto ikev2 remote-access trustpoint "NEW CERT"

No changes after this.

I have removed the old certificate trustpoint:

no crypto ikev2 remote-access trustpoint "OLD CERT"

After this it started working. Client test machine AnyConnect client does not report "Certificate has expired" any more.

One more thing I see is that the OLD CERT is still configured under ca trustpoint:

crypto ca trustpoint "OLD CERT"

Should this also be removed?

Marius Gunnerud · ‎05-22-2024

Yes, remove the old certificate so that it does not clutter up the configuration.

Good to hear that things have started working!

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎05-23-2024

I understand that this is what you did to solve your issue, but please rate and select a correct answer for community contributors that helped you reach your final solution. These correct answers and ratings are the reward that we as contributors strive to get as they help us maintain our status within the community.

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎05-23-2024

Thank you for the rating.

--
Please remember to select a correct answer and rate helpful posts

Marvin Rhoads · ‎05-21-2024

Try having them check the FQDN used by AnyConnect in their browser. There you can inspect the actual certificate they are getting and validate the expiration date.

tibor-mraovic · ‎05-21-2024

Do you maybe have a link to a how to guide on how this can be checked?

Dustin Anderson · ‎05-21-2024

One other thing is to verify the time/date is correct on the client machine.