ASA 9.4(2)11 is also affected

KevinGueTIS · ‎02-10-2016

Edit: Problem is solved, see my post in this discussion.

Hello,

I am currently facing a problem regarding AnyConnect authentication with AAA+certificate.

The explanation:

We run our own CA that gives out the client certificates for our users as well as the identity certificate for the ASA. If I assign the trustpoint to the interface the following happens:

- I click on connect on the AnyConnect client

- The certificate selection pops up and I select my certificate

- An error message with "Certificate Validation Failure" appears and the client says "No valid certificates available for authentication"

If I set the logging messages to debugging I can see that the device selects the correct trustpoint, but it doesn't extract anything from the certificate.

I also created a DART bundle and in there I can see that the certificate is selected from the store "Microsoft User", but after that I get several errors regarding the SCHANNEL, then it tries another certificate authentication and finds no certificates followed by the error. I have attached a .txt with a failed attempt.

If I remove the trustpoint I get an error message saying that it can't verify the VPN server, which is to be expected since it uses the self-signed certificate, but if I connect anyway I get the certificate selection and the login works fine (i.e. the username for the login is taken from the certificate).

I have imported the .cer from the CA and the identity certificate has only server authentication as it's usage. All certificates are valid.

Tests were done with AnyConnect 3.1.07021 and 3.1.13015 and ASA version 9.4(1) ASDM 7.4(1).

I have tried Google, but no solution has worked so far.

Has anyone experienced this issue?

Thank you for your help,

Kevin

Christopher Bankhead · ‎02-18-2016

I had very similar issue.

Certificate validation failure message/error and "The SSL transport received a Secure Channel Failure. May be a result of a unsupported crypto configuration on the Secure Gateway." in DART log.

ASA: 9.4.(2)6

AC: 4.0.0.0.0.61

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html#pgfId-116497

Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated:

ssl cipher tlsv1.2 custom

"AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"

Before:(not working = certificate validation error)

ASA-hostname/act/pri# sh run all ssl
ssl server-version tlsv1
ssl client-version tlsv1
ssl cipher default custom "AES256-SHA:AES128-SHA"
ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA"
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA"
ASA-Hostname/act/pri#

After:(working)

ASA-hostname/act/pri#

ssl cipher default custom "AES256-SHA:AES128-SHA"
ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA"
ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA"
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA"
ASA-hostname/act/pri#

Thank you Cisco TAC :)

radek_rams · ‎03-15-2016

ASA 9.4(2)11 is also affected with this issue.

I've only edited tlsv1.2 cipher suite to get it working.

stephen-e · ‎07-10-2016

Hi,

What did you edit to get this working? We have just upgrade to the Cisco recommended release (9.4(2)11) and found this issue only affects the Mobile Anyconnect client.

What releases is it fixed for all Anyconnect clients?

I cannot believe Cisco have 9.4(2).11 as their Suggested release when it obviously so badly affected with this bug. A bug which the release notes and the bug id state are fixed in 9.4(2)!

radek_rams · ‎07-11-2016

Right now I have such configuration regarding TLS/DTLS:

ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"
ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA"
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DES-CBC3-SHA"

We have AnyConnect 4.2.02075.

stephen-e · ‎07-11-2016

Thanks for that - I noticed the TLSv1.2 cipher was set to medium - when all the others were AES128-SHA only (which is what it should be). Changing this to AES128-AES fixed the issue.

I only saw the issue on the mobile Anyconnect clients the PC clients were unaffected.

Thanks for that.

nermeen.ashraf@pas.com.eg · ‎06-18-2020

my current configuration

A# sh run all ssl
ssl server-version tlsv1
ssl client-version tlsv1
ssl cipher default custom "AES256-SHA:AES128-SHA"
ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA"
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA"
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA"
ssl dh-group group2
ssl ecdh-group group19
ssl trust-point NEW-Self-Signed outside
ssl certificate-authentication fca-timeout 2

and still have the same problem with mobile phones

ASA Version 9.5(2)14

KevinGueTIS · ‎02-19-2016

Hello,

I just wanted to say that I "solved" this problem. It was a bug in the release (https://tools.cisco.com/bugsearch/bug/CSCut03981 probably). I just upgraded to 9.4(2) and did not encounter the problem anymore.

Kevin

AnyConnect "Certificate Validation Failure"