cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6788
Views
0
Helpful
2
Replies

Anyconnect Always-on and certificate validation error

Martin Olesen
Level 1
Level 1

Hey guys. Hope that somebody have some input on this.

The Case:

The customer uses AnyConnect Always-on. There is a public SSL certificate installed on the outside interface. They have machine certificates on their PCs. I have installed a identity certificate for the ASA, issued from the customers internal certificat server. The connection profile is setup to valided the clients certificates and user credentials

The problem:

When they connect they get the following error: No valid certificates available for authentication. (AnyConnect cannot confirm it is connected to your secure gateway.  The  local network may not be trustworthy.  Please try another network). If I change the certificate located on outside interface to the certificate issued by their internal certificate server, then there is no problems validate the certificate. The problem is for those who now uses SSL clientless VPN, they will start getting certificate error because the internal certificate is not public known.

If I do not enable Alwayson, and the public certificate is on the ourside interface, it can valided the clients certificats fine. But if I enable alwayson again, it can not valided the client certificates, exepted if I chooses to put the private certificate on the outside interface???

My question is quit simple :-), is it not possible to have a public certicate on the outside interface, and still be able to valided client certificate issued from an internal certificate server when running anyconnect Alwayson??

Buy the way we are running: ASA 9.1(2)8 Anyconnect 3.1.04066-k9 on windows machines?

Hoping somebody can help.

2 Replies 2

sjbdallas
Level 1
Level 1

Did you play with these settings in the profile:

All

false

There's also this link that discusses a way to change the automatic certificate detection which might matter:

https://supportforums.cisco.com/thread/2151782

Hi Steven

Yes, I did play with the settings in the XML Profile, it is set to:

All

true

Regarding the link you posted, i don't think that it is the same problem. Certificate validation works, as long as I don't enable anyconnect always-on.