11-27-2012 07:08 AM - edited 02-21-2020 06:30 PM
Hi guys,
I have a problem with the Anyconnect 3.1.01065.
When I try to connect I get the "The certificate on the secured gateway is invalid. A VPN connection will not be established".
The Certificate is a self signed cert.
Anyconnect 2.5 woks without problems.
ASA image: 8.4(2).
[27.11.2012 15:58:27] Ready to connect.
[27.11.2012 16:01:49] Contacting IP_WAN.
[27.11.2012 16:01:52] Please enter your username and password.
[27.11.2012 16:02:01] User credentials entered.
[27.11.2012 16:02:02] Establishing VPN session...
[27.11.2012 16:02:03] Checking for profile updates...
[27.11.2012 16:02:03] Checking for product updates...
[27.11.2012 16:02:03] Checking for customization updates...
[27.11.2012 16:02:03] Performing any required updates...
[27.11.2012 16:02:08] Establishing VPN session...
[27.11.2012 16:02:08] Establishing VPN - Initiating connection...
[27.11.2012 16:02:09] Disconnect in progress, please wait...
[27.11.2012 16:02:13] Connection attempt has failed.
Has anyone had this issue before?
Thanks a lot.
Solved! Go to Solution.
11-27-2012 07:24 AM
Hi Cristian,
Please check this out:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCua89091
And the following:
DOC: Anyconnect supports specific Extended Key Usage attributes in certs | |
Symptom: When using certificates with the anyconnect client if the certificate installed on the ASA doesn't have the EKU attribute set to "server-authentication" then the anyconnect client will reject the ASA's certificate as invalid. Similarly the client's id certificate also needs to be "client-authentication" otherwise the ASA will reject it..Conditions: Use an id certificate on the ASA that has an EKU other than "server-authentication". Use an id certificate on the client that has an EKU other than "client-authentication". Workaround: |
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty61472
So at this point you would need to configure certificate matching or use a previous version of the AnyConnect client.
HTH.
Please rate any helpful posts
11-27-2012 07:24 AM
Hi Cristian,
Please check this out:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCua89091
And the following:
DOC: Anyconnect supports specific Extended Key Usage attributes in certs | |
Symptom: When using certificates with the anyconnect client if the certificate installed on the ASA doesn't have the EKU attribute set to "server-authentication" then the anyconnect client will reject the ASA's certificate as invalid. Similarly the client's id certificate also needs to be "client-authentication" otherwise the ASA will reject it..Conditions: Use an id certificate on the ASA that has an EKU other than "server-authentication". Use an id certificate on the client that has an EKU other than "client-authentication". Workaround: |
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty61472
So at this point you would need to configure certificate matching or use a previous version of the AnyConnect client.
HTH.
Please rate any helpful posts
11-27-2012 07:46 AM
Further information:
AnyConnect Profile Editor, Certificate Matching
HTH.
Portu.
Please rate any helpful posts
11-27-2012 07:51 AM
great!
I was on the same page trying to figure it out .
so basically the profile must be configured on the client PC to match the ASA self signed cert attributes.
I only have the hostname defined in the cert.
Status: Available
Certificate Serial Number: 111111
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
hostname=ASA-FW
Subject Name:
hostname=ASA-FW
Validity Date:
start date: 00:53:06 CEDT Apr 17 2012
end date: 00:53:06 CEDT Apr 15 2022
Associated Trustpoints: SSL-Trustpoint
which attribute will it be?
Thanks.
11-27-2012 08:09 AM
Hi Cristian,
You could check for the CN value in the certificate:
HTH.
Please rate any helpful posts
11-27-2012 09:12 AM
Hi,
I'll try it tomorrow and let you know.
Thanks.
11-27-2012 10:58 AM
Sounds good to me
11-28-2012 01:57 AM
I've tried it with the following profile but it doesn't work. same error.
Thanks.
11-28-2012 02:11 AM
what do you think? should i generate a new self signed cert?
this one is pretty basic.
crypto ca trustpoint SSL-Trustpoint
enrollment self
keypair sslvpnkeypair
crl configure
it has no CN/FQDN/etc..only "Issued to", "Issued by" and the keys.
Thanks.
11-28-2012 03:31 AM
I added the CN, regenerated the cert, changed the Anyconnect profile and it works!
Thanks a lot!
11-28-2012 05:08 AM
Hi,
short question.
Is there a way to disable the warning generated from using self signed certs?
I would like to make the process as seamless as possible.
Thanks.
11-28-2012 07:25 AM
Hi Cristian,
For this message to go away, you need to install your ASA certificate on each machine (you can do it through the web browser).
HTH.
Portu.
Please rate any helpful posts
11-29-2012 12:16 AM
Hi Portu,
I've just tried, the connection works but the warning keeps coming.
- CN=abc.example.com
- DNS - abc.example.com resolves to ASA_IP
- CN matches the DNS
- Certificate was installed on client PC
Where does the Anyconnect search/check for the certs?
Thanks.
11-30-2012 05:21 AM
Hi Portu,
I tried with a trial cert from Thawte but the warning keeps coming.
any idea why?
Thanks.
03-17-2018 08:31 AM
I have same problem too. I am using version 4.4.02039 with Mac O/S 10.13.2 (17C88) (High Sierra)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide