cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2067
Views
0
Helpful
2
Replies

No valid certificate available when connecting anyconnect SSL

bernardo81
Level 1
Level 1

Hello Experts,

 

I am facing a weird issue on my ASA firewalls.

We have currently ASA 5550 with ASA version 9.1(7)16 for Anyconnect SSL VPN.

We want to replace those devices because they are EOL and because we needed an ASA version that supports PerApp VPN.

I installed a pair of ASA 5512 with ASA version: 9.8(2)28, configured PerApp for iOS apple devices.

Also configured anyconnect SSL VPN with few Tunnel-Groups configured for both Certificate and AAA Authentication.

Then i configured Certificate-to-Connection Profile mapping based on criteria in the Dig Certificates provided by the anyconnect clients (ex: if issuer CN= PKI internal   then assign Tunnel-group-1 ...).

The laptops connecting have all machine certificates (no user certs because we don't allow BYOD).

The issue is that we have most of the Laptops having identity certificates from an old PKI with "MD5 signature algorithms" signed certificates.

We have few Laptops with Mach. certificates from a new PKI with Signature algorithm sha256RSA.

 

Everything is running fine on these new firewalls ( PerApp, anyconnect SSL ) with the New Certs, however the Laptops with old Certificates are not able to connect giving the following error: No valid certificate available for authentication thus falling to the defaultwebvpnprofile.

I "disabled automatic cert selection" to see if the cert is presented during connection but i don't see one popping up.

Of course i added the CA certificate for Old and NEW PKI in the new firewalls.

i checked certificate Store override but the issue is still the same.

So Laptops with new certificates can connect to both new and actual firewalls but Laptops with old certs can connect only to the actual firewalls !

 

I attached both SSL settings of the firewalls

Did someone faced similar issue?

I am stuck on this since weeks.

 

Thank you in advance.

 

 

 

2 Replies 2

bernardo81
Level 1
Level 1
 

Hello,

 

Anyone with similar issue or can provide suggestions?

 

 

Review Cisco Networking for a $25 gift card