Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3263
Views
0
Helpful
4
Replies

SSL Certificate Cannot Be Trusted 443 / tcp / cisco-ssl-vpn-svr

Deepthi
Level 1
Level 1

‎02-14-2019 11:50 AM - edited ‎02-21-2020 08:49 AM

Dear All,

 

We use a third-party tool for vulnerability tests on our internet facing devices and for my Cisco ASA5508, i got this below error.

 

SSL Certificate Cannot Be Trusted 443 / tcp / cisco-ssl-vpn-svr .

 

I am not hosting any gateway service from this ASA, no SSL VPN or Anyconnect service.

 

I do not want to purchase a third-party certificate to make this error go away. 

 

I do have IPSec tunnels running from here and remoteVPN service (not using anyconnect). 

 

So, i did some research and understood that i need to disable https/SSL/443 services on the ASA to make this error go away. But, i would like to know if there would be any impact for my other services. and also i would like to know if i can accomplish this through some ACL on my outside interface.

 

CC-ASA5508-1# sh run http
http server enable
http CCNET 255.255.0.0 INTERNAL
http 10.0.0.0 255.0.0.0 INTERNAL
CC-ASA5508-1# sh asp table socket


Protocol Socket State Local Address Foreign Address
TCP 02016d48 LISTEN 10.207.4.2:22 0.0.0.0:*
SSL 0201f978 LISTEN 10.207.4.2:443 0.0.0.0:*
SSL 02025678 LISTEN 20C.CCC.CCC.CCC:443 0.0.0.0:*
DTLS 00037b28 LISTEN 20C.CCC.CCC.CCC:443 0.0.0.0:*
TCP c1a01998 ESTAB 10.207.4.2:22 172.16.32.77:59549
CC-ASA5508-1#

 

Thank you very much in advance.

0 Helpful
4 Replies 4

Ben Walters
Level 3
Level 3

‎02-14-2019 12:40 PM

If you don't use VPN or ASDM on the firewall you won't be affecting anything by turning off SSL services.  

0 Helpful

Deepthi
Level 1
Level 1
In response to Ben Walters

‎02-14-2019 01:10 PM

Hi Ben,

 

Thank you very much for the response. I do use IPSec VPN and also Remote VPN. (we use the widows and MAC in-built VPN clients at customer laptops). So, will these be affected ?

0 Helpful

Ben Walters
Level 3
Level 3
In response to Deepthi

‎02-14-2019 01:19 PM

IPSec will not be affected they don't use 443. Remote VPN however likely would be, most VPN clients require 443.

 

If you use remote VPNs though what do you have for a cert on the outside interface a self-signed? Is it signed with your company's PKI that the clients trust? If that is the case I wouldn't worry too much about the error, the cert is valid it is just the 3rd party tool that thinks it is untrusted.  

0 Helpful

Deepthi
Level 1
Level 1
In response to Ben Walters

‎02-14-2019 01:26 PM

Yes, I do have a self-signed Certificate on my ASA. We use L2TP/Ipsec protocol for the remote VPN. So, would it still be using 443 in the background. 

 

I am sorry for so many questions. am not so good with the certificate concepts. 

 

thank you very much.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card