09-23-2015 02:04 AM
I have 2 ASA devices with nearly same VPN config (ASA 5512-X 9.1(4) and ASA 5510 8.4(4)1). To connect user should have certificate installed and a membership in AD group. Certificate defines tunnel-group, after that AD request authorizes his rights to connect Anyconnect.
Recently we got another device, ASA 5506-X 9.4(1). Config was transferred there, but Anyconnect connection fails - "Certificate validation failure", client thinks that there is no correct certificate. To check if it's right I exported cert from ASA and installed it, but there is still "certificate validation failure". I have no idea what OS improvement makes my VPN that lazy. It works fine if I swap "authentication aaa certificate" to "authentication aaa" (sure, it doesnt check cert). Can anyone help me?
Partial config is attached.