When i try to start a SSL VPN connection to the ASA(8.4) with anyconnect 3.1, Cisco anyconnect receives a message saying "No Valid Certificates Available for Authentication". Prior to the test; On the ASA, i have obtain CA certificate and its identity certificate. (Both certificates obtain from windows 2008 CA). * ASA identity certificate's have EKU attribute = Server Authentication, Key Usage = Digital Signature, Key Encipherment. On the PC in which anyconnect installed, i have obtain User Certificate (this User certificate also obtain from the same windows 2008 CA) * Prior to obtaining User certificate from the windows2008 CA, ASA acts as a SCEP proxy onbehalf of the client PC. * User Certificate's has EKU attribute = Client Authentication. As in the ASDM Logs, it almost work. In days of troubleshooting, i still could not find the cause of this problem. Error message as appeared on anyconnect; Is there anyone could help.??? Keshara from Sri Lanka.
... View more
This is my topology and i could establised a VPN session from HQ to Branch with using Pre-shared key on IKE phase-1. It worked fine.... Then I changed both router's config to use "rsa-sig" as the authentication and also setup both routers to receive certificates from my win2003 server. Now I even could receives certificates from the CA, I couldn't establise a VPN session from HQ to Branch. Debug says, ISAKMP:(0:8:SW:1): processing CERT payload. message ID = 0 ISAKMP:(0:8:SW:1): processing a CT_X509_SIGNATURE cert ISAKMP:(0:8:SW:1): peer's pubkey isn't cached ISAKMP:(0:8:SW:1): Unable to get DN from certificate! ISAKMP:(0:8:SW:1): Cert presented by peer contains no OU field. ISAKMP:(0:8:SW:1): processing SIG payload. message ID = 0 ISAKMP (134217736): sa->peer.name = , sa->peer_id.id.id_fqdn.fqdn = HQ.ciscokeshara.com CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed. Can anyone give me a solution fo this.???? HELP please..../ BR, keshara from Sri Lanka.
... View more