Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
775
Views
0
Helpful
1
Replies

Anyconnect and Certificate auth using SCEP failing

mors105
Level 1
Level 1

‎09-27-2013 05:17 AM - edited ‎02-21-2020 07:11 PM

In short I'm getting the error "AnyConnect cannot confirm it is connected to your secure gateway"

I'm trying to use proxy SCEP, so that the anyconnect client actually enrolls with the CA via the ASA when building the connection, so that the user doesn't have to start going to places manually installing certificates on their machines.

I've been asked by a customer to bolt on to their existing AnyConnect solution I built, certificate authentication. I've built it in a lab on GNS. All goes well, I can get the anyconenct VPN to connect using the local DB users -fine. Then, I've set up a Cisco router as the CA and to auto-enroll, this works fine for the ASA, I get that enrolled and all working well. So it's all looking good at this point, but I cannot get the Anyconnect client to use the certificate like in all the docs I've read and videos I've watched of other people doing it.

I've done the following to set it up after the ASA is enrolled which I believe is correct:

1. Changed the SSL settings on the outside to use the new cert

2. Set the anyconnect profile to use cert and local authentication

3. Under the group policy for anyconnect, I've manually put in the scep url of http://x.x.x.x:80, the same one I enrolled the ASA with

4. Under the Anyconnect client profile I have enabled certificate enrollment and set the same CA url in here too

But as soon as I fire up the Anyconnect session, I get the error "AnyConnect cannot confirm it is connected to your secure gateway" ????

As soon as I go back into the connection profile and drop it back to LOCAL auth, it works fine again?!

Both the ASA and Client PC have reachablility to the CA server.

On a side note, I put the CA server router on the OUTSIDE of the firewall, as I've no idea how the client PC is meant to communicate with it otherwise? If the tunnel isn't built, how can the client get to the CA server located on the inside of the firewall? -That doesn't make sense?

Any advice much appreciated. If there's a guide building this from scratch, that'd be even better!! Most of the guides only show you how to configure SCEP on the ASA, not how to build the rest of the setup including the client and CA server

Cheers

Labels:
0 Helpful
1 Reply 1

mors105
Level 1
Level 1

‎10-03-2013 02:55 PM

I've fixed this and got the solution working with a IOS CA, but failing with a Server 2008 CA. So I'll post antoehr thread for that.

0 Helpful
Customers Also Viewed These Support Documents