RV340 upgrade firmware from 1.0.03.20 to .21 causing SSLVPN certificate error

masonchuck · ‎05-03-2021

Hi:
I just upgraded my RV340 to 1.0.03.21 from 1.0.03.20.

After the upgrade, my SSLVPN would not work.

I am using CISCO anyconnect. I get an error "no valid certificates available for authentication".

I rebooted the router back to 1.0.03.20. The VPN now works.

I am using the default self signed certificate. I access the router from the vpn by the outside IP address.

Is there a bug with this firmware, or do I need to do something with the self signed certificate.

Thanks

marce1000 · ‎05-03-2021

Ref : https://www.cisco.com/c/dam/en/us/td/docs/routers/csbr/RV340/Release_Note/RV34xx_relnote_v1_0_03_21.pdf

In the What's New section the following is mentioned :

Allows to select the 3rd party certificate as primary certificate.

Perhaps this is not the problem, but , if you can find the setting make sure the intended certificate is set as primary.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

masonchuck · ‎05-03-2021

This was not the problem. The primary / default is the self signed certificate that came with the router.

Thanks!

marce1000 · ‎05-03-2021

- Is the certificate still 'visible' and or can it somewhere be shown in the upgraded version ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

masonchuck · ‎05-03-2021

The router is currently on the prior release (which is working fine). I will reboot it this evening to the new release and then review the certificates.

Thanks

marce1000 · ‎05-03-2021

- Ok, review the certificates in the 'current situation' too ; then you can compare.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

nagrajk1969 · ‎05-14-2021

Hi

Maybe you should do the below too, after your router is booted into v1.0.03.21

1. Verify that the date & time is set to present date/time (check this out in System-Mgmnt/Time page)

2. Go to Admin/Certificates page and check what is the validity time-period displayed for the "Default" certificate. Usually it will be valid upto 2051...

3. Next go to VPN/SSLVPN page...and check whether the "Default" certificate is still selected in the Certificate settings...no harm done in clicking on Apply and then do a permanent Save here again at this juncture

I think if everything's ok in above steps, then it should work...

If i were you i would "Always" do the following, in any release or version OR any other Router of any other vendor:

1. Verify that the date & time are set to present date/time on the Router

2. Go to Admin/Certificate page and quickly create a new Self-Signed Certificate (steps as shown in attachments)

- Here i would ensure the below points while creating the Self-Signed certificate

a) Do not enter any email-address in the email-address line-item below the Common-Name...this is no longer allowed in latest x509 certificate standards. This field is still there for supporting any legacy olden-days requirements...

- These days in present x509 certificate standards, the email-address is supposed to be present mandatorily in the "subjectAltName" field of the certificate when generated

- so i suggest that simply keep it blank

b) Give the validity period of atleast 10 years 3650 in this case

3. Next go to VPN/SSL-VPN page and now select your new Self-signed cert and Apply and also do a permanent save to the startup-config (in Admin/Config-Mgmnt page)

cheers