01-30-2024 10:59 AM
Hi,
Upgraded ASA from 9.14(2) to 9.18(3). After upgrade Anyconnect can't connect. "Wasn't able to establish connection with specified secure gw. Try again"
From ASA log.
Authentication radius - passed
Authorisation ldap failed.
In logs i see, that certificate validation is failed.
Is it something known before?
Can You help?
Best
01-30-2024 11:02 AM
debug log for certificate reject:
@ugisducmanis wrote:
PKI[6]: ---------Certificate--------:
Serial Number:
12:c7:45:8d:a2:bd:7d:84:4e:73:bf:75:08:3e:c7:69
Issuer: DC=lv, DC=customer, DC=it, CN=EVF-RootCA
Subject: DC=lv, DC=customer, DC=it, CN=EVF-RootCAPKI[13]: pki_ossl_policy_select, pki_ossl_policy.c:545
PKI[9]: Policy search for cert 0
PKI[13]: pki_policy_iterate, pki_ossl_policy.c:222
PKI[13]: get_policy_list, pki_ossl_policy.c:105
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy _SmartCallHome_ServerCA for conn type 0x400
PKI[13]: finger_print_nonzero, pki_ossl_policy.c:72
PKI[9]: pki_is_policy_match: policy _SmartCallHome_ServerCA rejected. No matching fingerprint in chain
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy _SmartCallHome_ServerCA2 for conn type 0x400
PKI[13]: finger_print_nonzero, pki_ossl_policy.c:72
PKI[9]: pki_is_policy_match: policy _SmartCallHome_ServerCA2 rejected. No matching fingerprint in chain
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy ASDM_TrustPoint1 for conn type 0x400
PKI[13]: finger_print_nonzero, pki_ossl_policy.c:72
PKI[9]: pki_is_policy_match: policy ASDM_TrustPoint1 rejected. No matching fingerprint in chain
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy ASDM_TrustPoint0 for conn type 0x400
PKI[13]: finger_print_nonzero, pki_ossl_policy.c:72
PKI[9]: pki_is_policy_match: policy ASDM_TrustPoint0 rejected. No matching fingerprint in chain
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy ASDM_TrustPoint0-1 for conn type 0x400
PKI[13]: finger_print_nonzero, pki_ossl_policy.c:72
PKI[9]: pki_is_policy_match: policy ASDM_TrustPoint0-1 rejected. No matching fingerprint in chain
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy EVF-RootCA for conn type 0x400
PKI[13]: finger_print_nonzero, pki_ossl_policy.c:72
PKI[9]: pki_is_policy_match: policy EVF-RootCA rejected. No matching fingerprint in chain
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy Trustpool for conn type 0x400
PKI[13]: finger_print_nonzero, pki_ossl_policy.c:72
PKI[9]: pki_is_policy_match: policy Trustpool rejected. Cert match required
Best Regards,
Ugis
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide