cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3663
Views
0
Helpful
4
Replies

SSL Certificate Cannot Be Trusted 443 / tcp / cisco-ssl-vpn-svr

Deepthi
Level 1
Level 1

Dear All,

 

We use a third-party tool for vulnerability tests on our internet facing devices and for my Cisco ASA5508, i got this below error.

 

SSL Certificate Cannot Be Trusted 443 / tcp / cisco-ssl-vpn-svr .

 

I am not hosting any gateway service from this ASA, no SSL VPN or Anyconnect service.

 

I do not want to purchase a third-party certificate to make this error go away. 

 

I do have IPSec tunnels running from here and remoteVPN service (not using anyconnect). 

 

So, i did some research and understood that i need to disable https/SSL/443 services on the ASA to make this error go away. But, i would like to know if there would be any impact for my other services. and also i would like to know if i can accomplish this through some ACL on my outside interface.

 

CC-ASA5508-1# sh run http
http server enable
http CCNET 255.255.0.0 INTERNAL
http 10.0.0.0 255.0.0.0 INTERNAL
CC-ASA5508-1# sh asp table socket


Protocol Socket State Local Address Foreign Address
TCP 02016d48 LISTEN 10.207.4.2:22 0.0.0.0:*
SSL 0201f978 LISTEN 10.207.4.2:443 0.0.0.0:*
SSL 02025678 LISTEN 20C.CCC.CCC.CCC:443 0.0.0.0:*
DTLS 00037b28 LISTEN 20C.CCC.CCC.CCC:443 0.0.0.0:*
TCP c1a01998 ESTAB 10.207.4.2:22 172.16.32.77:59549
CC-ASA5508-1#

 

Thank you very much in advance.

4 Replies 4

Ben Walters
Level 4
Level 4

If you don't use VPN or ASDM on the firewall you won't be affecting anything by turning off SSL services.  

Hi Ben,

 

Thank you very much for the response. I do use IPSec VPN and also Remote VPN. (we use the widows and MAC in-built VPN clients at customer laptops). So, will these be affected ?

IPSec will not be affected they don't use 443. Remote VPN however likely would be, most VPN clients require 443.

 

If you use remote VPNs though what do you have for a cert on the outside interface a self-signed? Is it signed with your company's PKI that the clients trust? If that is the case I wouldn't worry too much about the error, the cert is valid it is just the 3rd party tool that thinks it is untrusted.  

Yes, I do have a self-signed Certificate on my ASA. We use L2TP/Ipsec protocol for the remote VPN. So, would it still be using 443 in the background. 

 

I am sorry for so many questions. am not so good with the certificate concepts. 

 

thank you very much.

Review Cisco Networking for a $25 gift card