Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
474
Views
0
Helpful
6
Replies

FTD issue with Anyconnect authenticating via AD

Go to solution
carl_townshend
Spotlight
Spotlight

‎12-20-2024 02:03 AM

Hi Guys

I am having an issue authenticating users on our anyconnect to our LDAP servers.

The users and groups show on the realm in CDO and the test to the server connects successfully.

The issue arises when I try to log into Anyconnect, I put in the password and it just fails.

I have done a debug on the firewall and I am seeing the below

%FTD-7-725013: SSL server inside:172.24.35.2/28482 to 172.24.32.50/636 chooses cipher ECDHE-RSA-AES256-GCM-SHA384
%FTD-7-717025: Validating certificate chain containing 2 certificate(s).
%FTD-7-717029: Identified client certificate within certificate chain. serial number: XXXXXXXXXXXXXXXXXX, subject name: CN=DC01.XXX
%FTD-3-717009: Certificate validation failed. serial number: 4000000006F7AC1F67376FB64D000000000006, subject name: CN=XXX-Issuing-CA,DC=XXX,DC=XXX.
%FTD-3-717027: Certificate chain failed validation. Generic validation failure occurred.
%FTD-7-725014: SSL lib error. Function: tls_process_client_certificate Reason: certificate verify failed
%FTD-6-113014: AAA authentication server not accessible : server = 172.24.32.50 : user = *****
%FTD-2-113022: AAA Marking LDAP server XXX in aaa-server group XXX as FAILED
%FTD-2-113023: AAA Marking LDAP server 172.24.32.50 in aaa-server group XXX as ACTIVE
%FTD-6-302014: Teardown TCP connection 942107 for inside:172.24.32.50/636 to identity:172.24.35.2/28482 duration 0:00:00 bytes 438 TCP Reset-O from identity
%FTD-7-711001: [107] TLS Connection to LDAP server: ldaps://172.24.32.50:636, status = Failed
%FTD-7-710005: TCP request discarded from 172.24.32.50/636 to inside:172.24.35.2/28482
%FTD-7-711001: [107] Unable to read rootDSE. Can't contact LDAP server.
%FTD-7-711001: callback_aaa_task: status = -3, msg =
%FTD-7-711001: [67] AAA FSM: In aaa_backend_callback
%FTD-7-711001: aaa_backend_callback: Handle = 67, pAcb = 0x000014b4eacf7640
%FTD-7-711001: [107] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
%FTD-7-711001: [107] Session End
%FTD-7-711001: AAA task: aaa_process_msg(0x000014b4c56e5b10) received message type 1
%FTD-7-711001: [67] AAA FSM: In AAA_ProcSvrResp

Can anyone help here please? I am really struggling to sort this

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to carl_townshend

‎12-20-2024 03:54 AM

You can just add the intermediate as another trustpoint and enrol on the FTD.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎12-20-2024 02:18 AM

@carl_townshend from your logs "%FTD-3-717009: Certificate validation failed."

Do both the FTD and anyconnect clients trust the CA? For the FTD you will need to create a trustpoint with the Inter/Root CA and enrol on the FTD. The anyconnect client will need to have the Inter/Root CA distributed by GPO.

https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs8.html

717009

Error Message %FTD-3-717009: Certificate validation failed. Reason: reason_string .

Explanation A certificate validation failed, which might be caused by a validation attempt of a revoked certificate, invalid certificate attributes, or configuration issues.

  • reason_string —The reason that the certificate validation failed

Recommended Action Make sure the configuration has a valid trustpoint configured for validation if the reason indicates that no suitable trustpoints were found. Check the Secure Firewall Threat Defense device time to ensure that it is accurate relative to the certificate authority time. Check the reason for the failure and correct any issues that are indicated. If certificate validation fails due to the CA key size being too small or a weak crypto being used, you can use the enable weak crypto option for the device in the management center to override these restrictions.

0 Helpful

Go to solution
carl_townshend
Spotlight
Spotlight
In response to Rob Ingram

‎12-20-2024 02:58 AM

Hi Rob

The FTD has a public cert applied for the anyconnect clients to connect from outside.

I have also added the internal root CA cert to it for our internal domain, this is where the LDAP server sits.

I think the issue is somewhere with the internal cert when talking to the internal LDAP server.

As you can see below, there are 2 certs applied to the FTD, one public for the Anyconnect, the other one is internal CA root for the LDAP

carl_townshend_0-1734692034749.png

What am I missing here ?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to carl_townshend

‎12-20-2024 03:28 AM

You've got the internal root cert on the FTD, but no intermediate. Do you have an intermediate root CA cert that you need on the FTD?

0 Helpful

Go to solution
carl_townshend
Spotlight
Spotlight
In response to Rob Ingram

‎12-20-2024 03:49 AM

Hi, I do have a copy of the full chain, should I delete the existing internal root CA and replace with that ?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to carl_townshend

‎12-20-2024 03:54 AM

You can just add the intermediate as another trustpoint and enrol on the FTD.

0 Helpful

Go to solution
carl_townshend
Spotlight
Spotlight

‎12-20-2024 06:26 AM

Hi Rob, this seems have done the trick, thanks for that, I added to the LDAP directory as well as device certificates.

Is it a requirement that it has the full  / intermediate also ? I could not see that anywhere in any documentation

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card