Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1737
Views
10
Helpful
8
Replies

Anyconnect SSL Certificate

millarbrown
Level 1
Level 1

‎08-18-2015 05:04 AM - edited ‎02-21-2020 08:24 PM

We recently replaced the expired SSL certificate on our ASA 5525X with a new Entrust cert now every time a user connects on VPN they are presented with 'Untrusted VPN Server Blocked' it's somehow selecting some unknown certificate (not the one we just setup) and denying access. I realize you can 'Connect Anyway' but why is the client selecting the wrong cert ?

Labels:
0 Helpful
8 Replies 8

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎08-18-2015 05:22 AM

Please make sure the new certificate is not only installed , it is also applied on the outside interface.
Make sure you remove the older command and add it with correct trustpoint (which has the new certificate)

no ssl trust-point <trustpoint name of old certificate> outside
ssl trust-point <trustpoint name of new certificate> outside

For verification , go the client's browser and check the certificate while you try to VPN in.
You should see the new certificate now.

 

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

millarbrown
Level 1
Level 1
In response to Dinesh Moudgil

‎08-18-2015 05:37 AM

Yes the new cert is applied to the OUTSIDE trustpoint yet still the 'Untrusted VPN Server Blocked' on the clients browser.

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to millarbrown

‎08-18-2015 05:41 AM

Can you confirm the certificate is indeed the new one. Browse to the URL in chrome and check whether the certificate being pushed is the correct one.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

millarbrown
Level 1
Level 1
In response to Dinesh Moudgil

‎08-18-2015 06:01 AM

The cert I'm presented with does not match the device, but the device name I'm shown is not the host name on the firewall the certificate is the correct one it just doesnt match ?

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to millarbrown

‎08-18-2015 06:42 AM

You need to make sure the CN in the certificate resolves to the IP of the ASA.
Can you share the FQDN that the users try to connect.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Dinesh Moudgil

‎08-18-2015 07:41 AM

Let me reinforce what Dinesh has told you. What needs to match is the name in the certificate and the name that the IP address resolves to. The configured host name on the firewall does not matter. All that matters is the name in the certificate and the name in DNS for the IP of the firewall.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Christopher Baker
Level 1
Level 1

‎08-19-2015 10:33 AM

I don't know what version you are running but this MAY be your issue.  I beat my head against the wall for like 9 hours thinking I did something wrong with the cert install and application.  Used the ADSM and CLI.  Nothing.  I re-issued the cert 3 times even.   Every time I applied the cert to the interface and would connect to the VPN or the Anyconnect home page, I would get the "Untrusted" warnings even though the cert was from a commercial SSL provider (not self signed).  When I would look at the cert, it was always a self signed one.  I even when into the command line, removed all the certs and keys using the zeroize commands.    Showing crypto ca and keys resulted in nothing.  Re-issued cert, installed and applied to interface and still the self signed.  Thinking maybe the browser cached the cert, I tried different browsers and then went to web based SSL testers.  I finally ran one from Symantec that found the RSA certificate I was getting from my commercial provider BUT it also found a ECC certificate!   Where did that come from and why was it using that when I clearly had commands in SSL and VPN to use the commercial RSA one.

Finally I opened a case with Cisco.   Turns out they found some reference to "Elliptic Curve Cryptography" and it says that in 9.4.x software, when a ECC capable SSL VPN client connects to the ASA, the ECC certificate has precedence.   So it basically appears that the internal self signed certificate is an ECC certificate (say the one used to connect ASDM).   And even though you have applied the RSA version to the outside, it won't work.  It will use the self signed instead.

TO ME THAT SAY BUG! ... I guess they don't agree.

In any case, the solution was to create a "custom" cipher precedence for SSL.  This was done with the following command:

ssl cipher tlsv1.2 custom

"AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"

 

This resolved my issue.  Might help if you have 9.4.x

Christopher Baker
Level 1
Level 1
In response to Christopher Baker

‎08-21-2015 08:31 AM

For future reference, Cisco does have a bug/feature enhancement request in on this issue:

https://tools.cisco.com/bugsearch/bug/CSCuu02848/

 

Customers Also Viewed These Support Documents