Hi all,
I've got an ASA5512-X, running 9.1.2, configured as a remote access VPN. I've configured it for aaa and certificate based authentication (Windows 2012 Certificate Server and radius authentication), using SCEP for trustpoint enrollment and OCSP for revocation checking as per this guide http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116720-config-asa-ocsp-00.html
The remote clients are Linux Debian OS using Anyconnect Client version 4.0.00061. The Windows Cert Server has been configured to generate certificates using RSA 2048 SHA1.
So far so good - everything is working as expected and remote devices can connect without issue.
As soon as I upgrade the ASA to 9.3.x or 9.4 no devices can connect and the Anyconnect Client displays the Certificate Validation Error message.
The ASA logs show that AES256-SHA is selected as the cipher, the correct trustpoint is selected and the SSL handshake completes using TLSv1.2. However, the connection immediately terminates with a TCP Reset-I message.
I've run debug crypto ca 255, debug crypto ca messages 255 and debug crypto ca transactions 255 on 9.1.2 and 9.3.x/9.4 and the only difference is that the ASA doesn't try and validate the certificate using OCSP after the upgrade - it seems to completely ignore revocation checking. I can't see any other useful info in the logs.
I've also tried using certificates from a cert server built using RSA2048 SHA256 (to try and be tlsv1.2 compliant) but I get the same result - works on 9.1.2 but not on 9.3.x or 9.4. It still works with 9.2.x, so it seems that something might have changed between 9.2.x and 9.3.x
Any ideas?
Thanks,
CM
