Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1802
Views
0
Helpful
15
Replies

3rd Party Signed Certificate with Phone VPN

ciscokid1984
Level 1
Level 1

‎05-01-2013 09:41 AM

Hi Guys,

I had a phone VPN up and running and have recently changed over to a 3rd party signed certificate so that SSL and AnyConnect users do not get the error each time - as a result of only being able to have one externally facing trustpoint, the phone VPN has stopped working.

To try fix this, I have done the following:

- Uploaded new signed cert to CUCM in Phone-VPN-Trust

- Uploaded root and intermediate Certs into tomcat-trust

- Recreated VPN profile with new certificates

Am I missing something, or have a placed the certs in the incorrect stores?

There is very little documentation on phone VPN's with 3rd party certs so any help would be appreciated.

Thanks

Labels:
0 Helpful
15 Replies 15

rpadwal
Cisco Employee
Cisco Employee

‎05-01-2013 09:59 AM

Hi John,

Please refer the below doc, replace the self signed cert config with the new pubic cert.

http://www.cisco.com/image/gif/paws/115785/anyconnect-vpn-00.pdf

please let me know if the phone connects to the cucm when you are on the private network?

If still you have issues please post the cert debugs when phone tries to connect through VPN.

debug webvpn svc 255

debug crypto ca tran 220

debug cry ca mess 220

Thanks and Regards,

        ROHAN 

Thanks and Regards, ROHAN :)
0 Helpful

ciscokid1984
Level 1
Level 1
In response to rpadwal

‎05-01-2013 10:23 AM

Hi Rohan,

I have already tried this with no joy.

Would I not have to upload the root and intermediates (of godaddy in this case)?

Thanks

0 Helpful

rkumar5
Level 1
Level 1
In response to ciscokid1984

‎05-01-2013 01:41 PM

Hi John,

Enable the debugging level logs on the ASA

Then check for the logs and see if the ssl handshake is getting conmepleted or not

check the output of show run all ssl

Just make sure that the correct trustpoint is bind to the outside interface.

0 Helpful

ciscokid1984
Level 1
Level 1
In response to rkumar5

‎05-02-2013 05:55 AM

HI Raj,

Here are the logs:

1.1.1.1 = PhoneVPN

2.2.2.2 = External Interface

ASA# show clock

13:50:27.055 BST Thu May 2 2013

May 02 2013 13:50:27: %ASA-7-111009: User 'touchbase' executed cmd: show clock

May 02 2013 13:50:50: %ASA-7-609001: Built local-host outside:1.1.1.1

May 02 2013 13:50:50: %ASA-6-302013: Built inbound TCP connection 189710 for outside:1.1.1.1/50318 (1.1.1.1/50318                                                                                                         ) to identity:2.2.2.2/443 (2.2.2.2/443)

May 02 2013 13:50:50: %ASA-6-302014: Teardown TCP connection 189710 for outside:1.1.1.1/50318 to identity:217.33.99.25                                                                                                         0/443 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept

May 02 2013 13:50:50: %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00

May 02 2013 13:50:51: %ASA-7-609001: Built local-host outside:1.1.1.1

May 02 2013 13:50:51: %ASA-6-302013: Built inbound TCP connection 189711 for outside:1.1.1.1/50318 (1.1.1.1/50318                                                                                                         ) to identity:2.2.2.2/443 (2.2.2.2/443)

May 02 2013 13:50:51: %ASA-6-725001: Starting SSL handshake with client outside:1.1.1.1/50318 for TLSv1 session.

May 02 2013 13:50:51: %ASA-7-725010: Device supports the following 3 cipher(s).

May 02 2013 13:50:51: %ASA-7-725011: Cipher[1] : AES256-SHA

May 02 2013 13:50:51: %ASA-7-725011: Cipher[2] : AES128-SHA

May 02 2013 13:50:51: %ASA-7-725011: Cipher[3] : DES-CBC3-SHA

May 02 2013 13:50:51: %ASA-7-725008: SSL client outside:1.1.1.1/50318 proposes the following 2 cipher(s).

May 02 2013 13:50:51: %ASA-7-725011: Cipher[1] : AES256-SHA

May 02 2013 13:50:51: %ASA-7-725011: Cipher[2] : AES128-SHA

May 02 2013 13:50:51: %ASA-7-725012: Device chooses cipher : AES256-SHA for the SSL session with client outside:81.134.73.2                                                                                                         3/50318

May 02 2013 13:50:51: %ASA-6-725002: Device completed SSL handshake with client outside:1.1.1.1/50318

May 02 2013 13:50:52: %ASA-6-725007: SSL session with client outside:1.1.1.1/50318 terminated.

May 02 2013 13:50:52: %ASA-6-302014: Teardown TCP connection 189711 for outside:1.1.1.1/50318 to identity:217.33.99.25                                                                                                         0/443 duration 0:00:01 bytes 4240 TCP FINs

May 02 2013 13:50:52: %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:01

May 02 2013 13:50:56: %ASA-7-609001: Built local-host outside:1.1.1.1

May 02 2013 13:50:56: %ASA-6-302013: Built inbound TCP connection 189712 for outside:1.1.1.1/51691 (1.1.1.1/51691                                                                                                         ) to identity:2.2.2.2/443 (2.2.2.2/443)

May 02 2013 13:50:56: %ASA-6-302014: Teardown TCP connection 189712 for outside:1.1.1.1/51691 to identity:217.33.99.25                                                                                                         0/443 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept

May 02 2013 13:50:56: %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00

May 02 2013 13:50:56: %ASA-7-609001: Built local-host outside:1.1.1.1

May 02 2013 13:50:56: %ASA-6-302013: Built inbound TCP connection 189713 for outside:1.1.1.1/51691 (1.1.1.1/51691                                                                                                         ) to identity:2.2.2.2/443 (2.2.2.2/443)

May 02 2013 13:50:56: %ASA-6-725001: Starting SSL handshake with client outside:1.1.1.1/51691 for TLSv1 session.

May 02 2013 13:50:56: %ASA-7-725010: Device supports the following 3 cipher(s).

May 02 2013 13:50:56: %ASA-7-725011: Cipher[1] : AES256-SHA

May 02 2013 13:50:56: %ASA-7-725011: Cipher[2] : AES128-SHA

May 02 2013 13:50:56: %ASA-7-725011: Cipher[3] : DES-CBC3-SHA

May 02 2013 13:50:56: %ASA-7-725008: SSL client outside:1.1.1.1/51691 proposes the following 2 cipher(s).

May 02 2013 13:50:56: %ASA-7-725011: Cipher[1] : AES256-SHA

May 02 2013 13:50:56: %ASA-7-725011: Cipher[2] : AES128-SHA

May 02 2013 13:50:56: %ASA-7-725012: Device chooses cipher : AES256-SHA for the SSL session with client outside:81.134.73.2                                                                                                         3/51691

May 02 2013 13:50:57: %ASA-6-725002: Device completed SSL handshake with client outside:1.1.1.1/51691

May 02 2013 13:50:57: %ASA-6-725007: SSL session with client outside:1.1.1.1/51691 terminated.

May 02 2013 13:50:58: %ASA-6-302014: Teardown TCP connection 189713 for outside:1.1.1.1/51691 to identity:217.33.99.25                                                                                                         0/443 duration 0:00:01 bytes 4240 TCP FINs

May 02 2013 13:50:58: %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:01

I can see the handshake taking place but on the phone it is still saying VPN failure.

Thanks

0 Helpful

rkumar5
Level 1
Level 1
In response to ciscokid1984

‎05-02-2013 06:10 AM

Hi John,

Thanks for the update.

Please send us the console logs of the phone as well.

please follow the link to get the console logs from the phone

https://supportforums.cisco.com/docs/DOC-14178

I belive the ASA certifiacte tyhat you have installed in the Phone-Trust-VPN is the complete cahin certifiacte taht you have installed

Thanks

Raj

0 Helpful

Varinder Singh
Cisco Employee
Cisco Employee

‎05-02-2013 06:05 AM

John,

You would need to install the GoDaddy certificate in phone vpn trust in CUCM, That includes identity intermidiate and root certificate.

Once you have uploaded the certifiacte. Re register the phone by connecting on inside network.

Let me know if that helps.

Regards,

Varinder

P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
0 Helpful

ciscokid1984
Level 1
Level 1
In response to Varinder Singh

‎05-02-2013 06:14 AM

Hi Varinder,

So far the certificates are as follows:

- Phone-Trust-VPN - Go daddy Cert

- Tomcat-Trust - GoDaddy Root

- Tomcat-Trust - GoDaddy Intermediate

I've re-connected the phone to the LAN and restarted tomcat too.

Are they in the correct stores on CUCM?

Thanks

0 Helpful

Varinder Singh
Cisco Employee
Cisco Employee
In response to ciscokid1984

‎05-02-2013 09:09 AM

John,

No they are not in correct store. You  need to install all 3 in VPN-trust store

- Phone-Trust-VPN - Go daddy Cert

- Phone-Trust-VPN- GoDaddy Root

- Phone-Trust-VPN- GoDaddy Intermediate

Re register the phone on inside. It should work after that.

Regards,

Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
0 Helpful

ciscokid1984
Level 1
Level 1
In response to Varinder Singh

‎05-07-2013 01:45 AM

Hi Varinder,

Thanks for that.

Which certificates do I need to add to the Phone on the call manager - when using a self signed cert, it is just this one which is needed.


Thanks

0 Helpful

Varinder Singh
Cisco Employee
Cisco Employee
In response to ciscokid1984

‎05-07-2013 02:07 AM

John,

You would only require to upload the ASA self signed certificate in VPN-Phone-trust on call manager. You can find more details from the following links:

https://supportforums.cisco.com/docs/DOC-21469

Regards,
Varinder

P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
0 Helpful

ciscokid1984
Level 1
Level 1
In response to Varinder Singh

‎05-07-2013 02:21 AM

Hi Varinder,

If i was using a self signed cert I would only have to use the ASA cert - this is fine and is working.

- Phone-Trust-VPN - Go daddy Cert

- Phone-Trust-VPN- GoDaddy Root

- Phone-Trust-VPN- GoDaddy Intermediate

Do above 3 certs in Phone-VPN-Trust have to be all on configured on the phone in the CallManager?

Thanks

0 Helpful

Varinder Singh
Cisco Employee
Cisco Employee
In response to ciscokid1984

‎05-07-2013 06:33 AM

John,

I'm glad that you were able to make it work for self signed certificate.

As for Godaddy certifiacte. It is correct to keep all 3 certificates in Phone-VPn-Trust trust store in call manager. Copy all three of them in same certificate store.

https://supportforums.cisco.com/servlet/JiveServlet/showImage/102-21469-8-106592/CertificateManagement.png

Hope that helps.

Regards,
Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
0 Helpful

Varinder Singh
Cisco Employee
Cisco Employee
In response to Varinder Singh

‎05-07-2013 06:35 AM

Just to add, you also need to add all 3 of them in VPN gateway configuration.

Below is the snapshot

https://supportforums.cisco.com/servlet/JiveServlet/downloadImage/102-21469-8-106593/450-317/VPNGateway.png

Hope that helps.

Regards,
Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
0 Helpful

ciscokid1984
Level 1
Level 1
In response to Varinder Singh

‎05-09-2013 03:25 AM

Hi Varinder,

I added all 3 to the VPN profile but still no joy, it is saying VPN Authentication Failed

Here is the log, which to me, shows no failure and looks like it connects...:

1.1.1.1 = Phone

2.2.2.2 = ASA

May 09 2013 11:21:09: %ASA-7-609001: Built local-host outside:1.1.1.1

May 09 2013 11:21:09: %ASA-6-302013: Built inbound TCP connection 211741 for outside:1.1.1.1/52002 (1.1.1.1/52002) to identity:2.2.2.2/443 (2.2.2.2/443)

May 09 2013 11:21:09: %ASA-6-302014: Teardown TCP connection 211741 for outside:1.1.1.1/52002 to identity:2.2.2.2/443 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept

May 09 2013 11:21:09: %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:00

May 09 2013 11:21:09: %ASA-7-609001: Built local-host outside:1.1.1.1

May 09 2013 11:21:09: %ASA-6-302013: Built inbound TCP connection 211742 for outside:1.1.1.1/52002 (1.1.1.1/52002) to identity:2.2.2.2/443 (2.2.2.2/443)

May 09 2013 11:21:09: %ASA-6-725001: Starting SSL handshake with client outside:1.1.1.1/52002 for TLSv1 session.

May 09 2013 11:21:09: %ASA-7-725010: Device supports the following 3 cipher(s).

May 09 2013 11:21:09: %ASA-7-725011: Cipher[1] : AES256-SHA

May 09 2013 11:21:09: %ASA-7-725011: Cipher[2] : AES128-SHA

May 09 2013 11:21:09: %ASA-7-725011: Cipher[3] : DES-CBC3-SHA

May 09 2013 11:21:09: %ASA-7-725008: SSL client outside:1.1.1.1/52002 proposes the following 2 cipher(s).

May 09 2013 11:21:09: %ASA-7-725011: Cipher[1] : AES256-SHA

May 09 2013 11:21:09: %ASA-7-725011: Cipher[2] : AES128-SHA

May 09 2013 11:21:09: %ASA-7-725012: Device chooses cipher : AES256-SHA for the SSL session with client outside:1.1.1.1/52002

May 09 2013 11:21:10: %ASA-6-725002: Device completed SSL handshake with client outside:1.1.1.1/52002

May 09 2013 11:21:10: %ASA-6-725007: SSL session with client outside:1.1.1.1/52002 terminated.

May 09 2013 11:21:11: %ASA-6-302014: Teardown TCP connection 211742 for outside:1.1.1.1/52002 to identity:2.2.2.2/443 duration 0:00:01 bytes 4240 TCP FINs

May 09 2013 11:21:11: %ASA-7-609002: Teardown local-host outside:1.1.1.1 duration 0:00:01

0 Helpful
Customers Also Viewed These Support Documents