Solved: We received your DART bundle

egodalisse · ‎07-06-2016

Hi all,

I have got a test ASA setup to authenticate Anyconnect on iOS devices using certificates (objective is to have an on-demand setup with zero user intervention).

While it works perfectily when the client is a Windows compiter running Anyconnect it doesnt when connecting from the last Anyconnect version for iOS.

Here is the error message I'm getting :

"This connection requires a client certificate, but no matching certificate is configured. Please modify the connection, choose a valid certificate and try again".

This is weird cause the same certificate was used for both the test from iOS and from Windows.

I do have the following options in the certificate :

- key usage : Digital Signature and Key Encipherment

- Extended key usage : Client Authentication

ASA version 9.4.2.11

iOS : 9.3.2

Anyconnect for iOS : 4.0.05038

For adding the client certificate to iOS I'have just emailed myself and installed the cert (pfx extension) which contains both the public and private keys.

Any idea ?

EDIT : Problem solved, see below

egodalisse · ‎07-07-2016

Hi Pete,

FYI I was able to fix the issue after turning on crypto debugs on ASA

Here is what put me on the right track :

%ASA-7-725014: SSL lib error. Function: SSL3_GET_CERT_VERIFY Reason: bad rsa signature

which took me to bug CSCut03981

Everything is working fine after using the workaround shown in https://supportforums.cisco.com/discussion/12886496/anyconnect-certificate-validation-failure

thanks again for your help

View solution in original post

egodalisse · ‎07-06-2016

I've just tried from an Android device and got the same error message.

Peter Davis · ‎07-06-2016

Please do the same from Android as well.

Peter Davis · ‎07-06-2016

Please turn on debug logs and send us a diagnostic report to ac-mobile-feedback@cisco.com with this description. The DART needs to be sent immediately after this error message so that the logs don't wrap.

egodalisse · ‎07-06-2016

DART on iOS ? does it exist ?

problem is for mobile devices, it works fine on Windows !

Peter Davis · ‎07-06-2016

We received your DART bundle from iOS, please send us the same from Android since the iOS logs were not very helpful to troubleshoot. We may need the head-end logs with some certificate debugging enabled for this one as well.

Peter Davis · ‎07-06-2016

Also, can you please send us a screenshot of the cert details? (From windows is fine) Curious to see the KU/EKU as you mentioned, hashing algorithm, size, etc.

egodalisse · ‎07-07-2016