Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
731
Views
0
Helpful
1
Replies

AnyConnect clients failing after ASA Appliance power cycled

jim.bell@argyll-bute.gov.uk
Level 1
Level 1

‎11-05-2012 10:05 AM

Hi There,

We are having an issue with an ASA5520 v8.0(4) appliance that suffered a Power outage (first time down in around a year) and since then AnyConnect 2.5.2019 VPN clients are failing with Certificate errors.

The clients authenticate using both a Microsoft CA issued Machine certificate and an AD logon, and the AnyConnect clients have an always-on TND profile applied.

The clients also have installed in their Trusted root store a Certificate for the Appliance and it is this Certificate that appears to have changed on Power Cycle, confirmed by checking Serial number of current appliance certificate with what the Clients have installed for the Appliance.

Checked the configuration and the ASA's External Interface used for SSL connections has no certificate assigned to the Interface and is using the Fallback certificate of the Appliance.

Does this Fallback Certificate change each time the ASA Appliance is power cycled, if so what would you recommend to overcome this to survive Power Cycles - would a self-signed certificate applied to the Interface suffice.

We have found that we can get Clients working again by Importing the updated Appliance Certificate (Fallback certificate) into the clients Trusted Root store but should we suffer another Power outage will we end up in a similar situation.

Thanks for any suggestions.

Labels:
0 Helpful
1 Reply 1

jim.bell@argyll-bute.gov.uk
Level 1
Level 1

‎11-06-2012 06:12 PM

Update

We have now created a self-signed certificate on the Appliance and attached it to the External interface and confirmed this certificate is persistent (does not change) after reboots of the Appliance.

Also checked the Appliance's default fallback certificate and can confirm it does indeed change on every reboot of the Appliance.

Something to watrch out for if you use always-on with TND and machine certificate authentication - clients fail as they do not get pop-up security alert prompting user to accept new certificate from appliance.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents