Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1161
Views
0
Helpful
7
Replies

AnyConnect certificate authentication error

ken_maruu
Level 1
Level 1

‎08-28-2023 11:55 PM

Hi, there

I'm using ASA5516 and Firepower 1140 as VPN Gateway with AnyConnect.

I installed CA certificate which is generated by third party RADIUS on both ASA5516 and Firepower 1140.

I also generated and install a client certificate for my computer.

When I'm attempting to connect VPN(ASA5516) by using AnyConnect, there is no problem on the other hand,

When I'm attempting to connect VPN(Firepower 1140) by using AnyConnect, receiving the error "Certificate Validation Failure" on Anyconnect.

The VPN configuration for AnyConnect is the same both of them but The version is different.

ASA5516 Version 9.8(4)

Firepower 1140 Version 9.16(2)7

I also noticed that certificate ca is slightly different (I installed same CA certificate though)

ASA5516 shows 00xxxxxxxxxxxxxxxx (18 digits alphanumeric character)

Firepower 1140 shows xxxxxxxxxxxxxxxx(16 digits alphanumeric character)

x is same alphanumeric character.

Any advices would be appreciated.

Labels:
0 Helpful
7 Replies 7

marce1000
VIP
VIP

‎08-29-2023 01:39 AM

 

 - Check the logs of the Firepower 1140  when this happens ,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

ken_maruu
Level 1
Level 1
In response to marce1000

‎08-29-2023 02:40 AM - edited ‎08-29-2023 05:47 PM

Hello M,

Thank you for your reply.

When I use "show logging" , there are too many logs that I cannot figure out the logs that I want to check.

Is there any command that I can check the logs easily?

I found the logs.

%ASA-6-725016: Device selects trust-point ASA-self-signed for client outside:xx.xx.xx.xx/2212 to xx.xx.xx.xx/8443
%ASA-6-725004: Device requesting certificate from SSL client outside:xx.xx.xx.xx/2212 to xx.xx.xx.xx/8443 for authentication
%ASA-6-725004: Device requesting certificate from SSL client outside:xx.xx.xx.xx/2212 to xx.xx.xx.xx/8443 for authentication
%ASA-7-725017: No certificates received during the handshake with client outside:xx.xx.xx.xx/2212 to xx.xx.xx.xx/8443 for TLSv1.2 session
%ASA-6-725002: Device completed SSL handshake with client outside:xx.xx.xx.xx/2212 to xx.xx.xx.xx/8443 for TLSv1.2 session

It seems Firepower doesn't recognize certificates from my computer even though It has the right one. 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎08-29-2023 07:20 AM

Did you import the certs to FTD including Root and chain ?

follow below guide :

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ken_maruu
Level 1
Level 1
In response to balaji.bandi

‎08-29-2023 05:30 PM

Hello BB,

Thank you for your reply.

 referred to the article down below.

https://tayam-infra.net/how-to-configure-asa-for-certificate-based-authentication/

I'm not really sure whether FTD including Root and chain or not because I don't use FMC.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to ken_maruu

‎08-30-2023 06:52 AM

how you managing the FTD ? FDM

you can look at the File see in the notepad++ have chain or not.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ken_maruu
Level 1
Level 1
In response to balaji.bandi

‎08-31-2023 07:27 AM

I looked into the logs and found the error ‘peer certificate key usage is invalid’

What I did was to add ‘ignore-ssl-keyusage’

It’s working now

Thanks for your advice.

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to ken_maruu

‎09-01-2023 09:48 AM

thats  not the best, but if that work for you welcome

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents