Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1075
Views
0
Helpful
2
Replies

AnyConnect client perform revocation check on ASA server cert? Can be configured?

Go to solution
daboochmeister
Level 1
Level 1

‎08-26-2015 01:35 PM - edited ‎02-21-2020 08:25 PM

Environment:  AnyConnect Secure Mobility Client v 3.1.04066

Does the AnyConnect client perform a revocation check on the server certificate returned from the ASA during a VPN connection setup?  If so, does it use the info in the server certificate AIA, or can the OCSP or CRLDP URL be configured in the client?

And, can server certificate revocation checking be disabled (e.g. in the profile, or a registry update)?

Note, I'm NOT talking about the ASA checking revocation on submitted client certificates.  All of my vast google-fu could only uncover info about that topic - but this is different, this is akin to a browser checking revocation on a website's server certificate.

We are evaluating using an identity certificate from an internal CA for the VPN profile - but there's a catch-22/chicken-egg problem if the AnyConnect client does a mandatory OCSP check on the cert, since it won't have access to the OCSP URL until after connected. This could be addressed by e.g. having an outside CRLDP URL to a .crl file, or suppressing revocation checks in the AnyConnect client.

Thank you!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7

‎08-26-2015 02:44 PM

I believe that at some point this was removed from anyconnect, as it was the cause of many problems, but was reintroduced in anyconnect 4.1, but still not enabled per default. So no, i don't believe that the version you are running is doing this.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
jan.nielsen
Level 7
Level 7

‎08-26-2015 02:44 PM

I believe that at some point this was removed from anyconnect, as it was the cause of many problems, but was reintroduced in anyconnect 4.1, but still not enabled per default. So no, i don't believe that the version you are running is doing this.

0 Helpful

Go to solution
daboochmeister
Level 1
Level 1
In response to jan.nielsen

‎08-28-2015 03:16 AM

jan.nielsen, I had concurrently opened a TAC case on this question, and received back the same answer you gave (but you beat them by several hours :-).  Thx!  Oh, and 4.1 only added in CRL checking, not OCSP, according to their reply.

0 Helpful
Customers Also Viewed These Support Documents