Hi,

I'm not sure am allowed to state version usage publicly, but we have another ASA built the same as the other with the old version still running. When we come to migrate that (soon) I'll find out if it has the same issues, first do a warm reload and then upgrade version if it didn't work. 

Thanks 

Sam

You're right on Marvin, On ASA ver 8.4 (2) I receive this same error "failed to update pki session with ikev2 trustpoint" after changing identity certs for Clientless SSL. It seems to yield this error regardless of the type of CA used, whether or not it includes the "server authenticatio" eku, as I was able to duplicate this behavior after issuing from a MS 2012 R2 CA and an IOS CA.  After rebooting the ASA it's fine with the cert and everything works.
 

You're right on Marvin, On ASA ver 8.4 (2) I receive this same error "failed to update pki session with ikev2 trustpoint" after changing identity certs for Clientless SSL. It seems to yield this error regardless of the type of CA used, as I was able to duplicate this behavior after issuing from a MS 2012 R2 CA and an IOS CA. It also doesn't seem to matter whether the eku "Server Authentication" is there or not (at least for Clientless Remote Access).  After rebooting the ASA it's fine with the newly selected cert and everything works.
 

Hi Sam,

I am labbing this so I can conclude what`s missing but I believe you are not enrolling correctly with the asa with the CA. Also, for Java applications such as any connect and the asdm you have to use a code certificate what means something is missing anyways. So far my any connect presents me with the correct trusted certificate. I`ll let u know when I am finished.

BR,

Bruno Silva.

wow you guys are going to loads of trouble for this, thanks loads.

I'll have another look at enrolling: but doing it again yesterday it didn't moan about the enrollment when adding the CA certificate..

Cheers

Sam

Hi Sam,

It`s no problem at all, I am also having certificate issues but concerns another area of expertise involving SCEP auto-enrollment. For some reason I think the problems are almost the same because when I authenticate using the new certificate it seems to be impossible to match the certificate properly and then it enrolls to a new certificate, it`s really giving me a hard time on solving it and I can`t find a way to match it. As per the certificate you are telling I am pretty sure it`s something related to the enrollment. When you enroll to this type of thing, you need to enroll in 3 different trust points for 3 different areas, the internal certificate, the SSL validation and the Code signer. The first is for the ASA itself, the second for the SSL vpn and the last for java applications such as any connect and ASDM. I am simulating, as soon as I get a proper conclusion I`ll let you know.

OK Great thanks again Bruno I'm still trying different things I'll let you know if there's any more info.

Hi Sam,

When you check the Anyconnect configurations, does it show the correct certificate being used?

Hi Bruno,

I've created quite a few certificates from various templates and have been trying with this for a while: when I change the certificate under the Anyconnect configuration, I can see from trying from a web browser that the certificate has changed. 

Templates I've used are ipsec, computer, web server and as far as I'm aware, web server should just work with very little configuration...

Thanks :)

Quick one: here's the chain:

Hi,

Quite a few at the moment: testing between quite a few ID certificates, and two different PKI servers so there are a few trustpoints to choose from. When the client certificate is shown to the ASA by the anyconnect client, it is able to validate that certificate by a trustpoint.