cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7829
Views
4
Helpful
10
Replies

Anyconnect VPN Certificate Authentication

andre.ortega
Spotlight
Spotlight

Hello,
I configured a RA VPN to authenticate using certificate.
On FTD I installed the my root CA certificate, the identity certificate signed by this CA, and for computer I also generated and install a certificate (template = workstation, the same I use to authenticate on LAN - ISE).

Now, trying to connect to VPN I am receiving the error "Certificate Validation Failure" on Anyconnect. On FTD I see "pki_is_policy_match: policy CA-Corp rejected (usage: 640). conn_type 32 not allowed".

What could be causing this?

More logs:


SSL verify callback: Key exchange algorithm extracted from SSL Cipher
PKI[13]: CERT_Open, vpn3k_cert_api.c:196
PKI[8]: PKI session 0x015ec9e9 open Successful with type SSL
PKI[13]: CERT_SetKeyExchangeAlg, vpn3k_cert_api.c:896
PKI[13]: CERT_Authenticate, vpn3k_cert_api.c:566
PKI[8]: Authenticate session 0x015ec9e9, non-blocking cb=0x0000559ee0a47e30
PKI[13]: CERT_API_req_enqueue, vpn3k_cert_api.c:2630
PKI[9]: CERT API thread wakes up!
PKI[12]: CERT_API_Q_Process, vpn3k_cert_api.c:2528
PKI[12]: CERT_API_process_req_msg, vpn3k_cert_api.c:2463
PKI[8]: process msg cmd=0, session=0x015ec9e9
PKI[9]: Async locked for session 0x015ec9e9
PKI[12]: pki_ossl_verify_chain_of_certs, pki_ossl_validate.c:1048
PKI[7]: Begin cert chain validation for session 0x015ec9e9
PKI[12]: pki_ossl_find_valid_chain, pki_ossl_validate.c:441
PKI[8]: Begin sorted cert chain
PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:118
PKI[8]: ---------Certificate--------:
Serial Number:
16:cb:75:61:a0:23:45:9c:4a:99:3b:11:82:bb:ac:90
Issuer: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany
Subject: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany

PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:118
PKI[8]: ---------Certificate--------:
Serial Number:
56:00:00:00:21:d9:63:82:33:cf:71:71:17:00:00:00:00:00:21
Issuer: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany
Subject: DC=br, DC=com, DC=mycompany, OU=mycompany STI, OU=Computers, OU=TesteAutent, CN=HQNB316

PKI[8]: End sorted cert chain
PKI[13]: pki_ossl_get_store, pki_ossl_certstore.c:61
PKI[12]: pki_ossl_rebuild_ca_store, pki_ossl_certstore.c:194
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:118
PKI[7]: Cert to verify
PKI[7]: ---------Certificate--------:
Serial Number:
56:00:00:00:21:d9:63:82:33:cf:71:71:17:00:00:00:00:00:21
Issuer: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany
Subject: DC=br, DC=com, DC=mycompany, OU=mycompany STI, OU=Computers, OU=TesteAutent, CN=HQNB316

PKI[12]: pki_verify_cb, pki_ossl_validate.c:344
PKI[8]: val status=1: cert subject: /DC=br/DC=com/DC=mycompany/CN=CA-MyCompany. ctx->error: (0)ok, cert_idx: 1
PKI[12]: pki_verify_cb, pki_ossl_validate.c:344
PKI[8]: val status=1: cert subject: /DC=br/DC=com/DC=mycompany/OU=mycompany STI/OU=Computers/OU=TesteAutent/CN=HQNB316. ctx->error: (0)ok, cert_idx: 0
PKI[8]: pki_ossl_find_valid_chain took 467 microsecs
PKI[6]: Verified chain:
PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:118
PKI[6]: ---------Certificate--------:
Serial Number:
56:00:00:00:21:d9:63:82:33:cf:71:71:17:00:00:00:00:00:21
Issuer: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany
Subject: DC=br, DC=com, DC=mycompany, OU=mycompany STI, OU=Computers, OU=TesteAutent, CN=HQNB316

PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:118
PKI[6]: ---------Certificate--------:
Serial Number:
16:cb:75:61:a0:23:45:9c:4a:99:3b:11:82:bb:ac:90
Issuer: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany
Subject: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany

PKI[13]: pki_ossl_policy_select, pki_ossl_policy.c:545
PKI[9]: Policy search for cert 0
PKI[13]: pki_policy_iterate, pki_ossl_policy.c:222
PKI[13]: get_policy_list, pki_ossl_policy.c:105
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy CA-MyCompany for conn type 0x20
PKI[9]: pki_is_policy_match: policy CA-Corp rejected (usage: 640). conn_type 32 not allowed
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy Trustpool for conn type 0x20
PKI[13]: finger_print_nonzero, pki_ossl_policy.c:72
PKI[9]: pki_is_policy_match: policy Trustpool rejected. Cert match required
PKI[9]: Policy search for cert 1
PKI[13]: pki_policy_iterate, pki_ossl_policy.c:222
PKI[13]: get_policy_list, pki_ossl_policy.c:105
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy CA-MyCompany for conn type 0x20
PKI[9]: pki_is_policy_match: policy CA-MyCompany rejected (usage: 640). conn_type 32 not allowed
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy Trustpool for conn type 0x20
PKI[13]: finger_print_nonzero, pki_ossl_policy.c:72
PKI[9]: pki_is_policy_match: policy Trustpool rejected. Cert match required
PKI[4]: Unable to find policy
PKI[12]: pki_ossl_do_callback, pki_ossl_validate.c:160
PKI[13]: CERT_Close, vpn3k_cert_api.c:284
PKI[8]: Close session 0x015ec9e9 asynchronously
PKI[13]: CERT_API_req_enqueue, vpn3k_cert_api.c:2630
PKI[9]: Async unlocked for session 0x015ec9e9
PKI[12]: CERT_API_Q_Process, vpn3k_cert_api.c:2528
PKI[12]: CERT_API_process_req_msg, vpn3k_cert_api.c:2463
PKI[8]: process msg cmd=1, session=0x015ec9e9
PKI[9]: Async locked for session 0x015ec9e9
PKI[9]: Async unlocked for session 0x015ec9e9
PKI[13]: pki_ossl_free_valctx, pki_ossl_validate.c:247
PKI[9]: CERT API thread sleeps!

CERTIFICATES ON FTD:

Certificate
Status: Available
Certificate Serial Number: 56000000170f1073b1715941ab000000000017
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=CA-MyCompany
dc=mycompany
dc=com
dc=br
Subject Name:
cn=ssl.mycompany.com.br
ou=TI
o=mycompany
l=Sao Paulo
st=SP
c=BR
CRL Distribution Points:
[1] ldap:///CN=CA-MyCompany,CN=AHQDC02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mycompany,DC=com,DC=br?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 19:03:00 UTC Apr 27 2022
end date: 19:03:00 UTC Apr 26 2024
Storage: config
Associated Trustpoints: CA-MyCompany

CA Certificate
Status: Available
Certificate Serial Number: 16cb7561a023459c4a993b1182bbac90
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=CA-MyCompany
dc=mycompany
dc=com
dc=br
Subject Name:
cn=CA-MyCompany
dc=mycompany
dc=com
dc=br
Validity Date:
start date: 17:01:17 UTC Jan 9 2020
end date: 17:11:16 UTC Jan 9 2035
Storage: config
Associated Trustpoints: CA-MyCompany

 

10 Replies 10

JP Miranda Z
Cisco Employee
Cisco Employee

Hi andre.ortega,

Which FTD version are you running? Can you share a sh run cry ca trustpoint CA-MyCompany?

-JP-

Hi JP Miranda, it is a FTD 6.6.4.

crypto ca trustpoint CA-MyCompany
enrollment terminal
fqdn ssl.mycompany.com.br
subject-name OU=TI,O=MyCompany,CN=ssl.mycompany.com.br,L=Sao Paulo,ST=SP,C=BR
keypair <Default-RSA-Key>
no validation-usage
crl configure

andre.ortega,

The issue you are having is most likely related to a known defect that is currently not visible for customer, im already working on making it visible for everyone but ill give you an explanation of what seems to be the issue:

- When you import the CA certificate on the FMC/FTD, the CA will have a default setting of validation-usage ipsec-client ssl-client, in this case you can see the setting is no validation-usage which is cause by the defect.

As a workaround you can import the same CA one more time with just a different trustpoint name and that should do the trick.

As soon as i get the defect visible for everyone ill share it here.

-JP-

Hope this helps!

 

Thanks JP Miranda.
I added a new trustpoint (CA-MyCompany2), and you can see it has the same Serial Number

crypto ca trustpoint CA-MyCompany
enrollment terminal
fqdn ssl.mycompany.com.br
subject-name OU=TI,O=MyCompany,CN=ssl.mycompany.com.br,L=Sao Paulo,ST=SP,C=BR
keypair <Default-RSA-Key>
no validation-usage
crl configure

crypto ca trustpoint CA-MyCompany2
enrollment terminal
keypair <Default-RSA-Key>
crl configure

Trustpoint CA-MyCompany:
Subject Name:
cn=CA-MyCompany
dc=mycompany
dc=com
dc=br
Serial Number: 16cb7561a023459c4a993b1182bbac90
Certificate configured.

Trustpoint CA-MyCompany2:
Subject Name:
cn=CA-MyCompany
dc=mycompany
dc=com
dc=br
Serial Number: 16cb7561a023459c4a993b1182bbac90
Certificate configured.

However I am still receiving the error, but now I noticed some others messages:

PKI[7]: CRYPTO_PKI:check_key_usage: Checking KU for case VPN peer certs.
PKI[7]: CRYPTO_PKI:check_key_usage: KU bit digitalSignature is ON.
PKI[7]: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.1, NOT acceptable for usage type SSL VPN Peer
PKI[7]: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2 acceptable for usage type: SSL VPN Peer

The certificate I am using for computers (template workstation), has usage Client Authentication (OID = 1.3.6.1.5.5.7.3.2) and Server Authentication (OID = 1.3.6.1.5.5.7.3.1).
Am I missing something?

Hi andre.ortega, 

 

Actually there is a difference between the debugs and also the trustpoint configuration after adding the CA certificate a second time:


crypto ca trustpoint CA-MyCompany
enrollment terminal
fqdn ssl.mycompany.com.br
subject-name OU=TI,O=MyCompany,CN=ssl.mycompany.com.br,L=Sao Paulo,ST=SP,C=BR
keypair <Default-RSA-Key>
no validation-usage
crl configure

crypto ca trustpoint CA-MyCompany2 --> by default de validation usage will be ipsec-client/ssl-client
enrollment terminal
keypair <Default-RSA-Key>
crl configure

In the new debug you see the ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2 acceptable for usage type: SSL VPN Peer, which means we are not getting to the point of checking the EKU, can you share the full debug while trying to connect?

FYI here is the bug id causing the validation-usage issue: CSCwa97394.

 

-JP-

Hope this helps!

 

 

Here is the debug, and one more time thanks for your help.


SSL verify callback: Key exchange algorithm extracted from SSL Cipher
PKI[13]: CERT_Open, vpn3k_cert_api.c:196
PKI[8]: PKI session 0x018c1a5d open Successful with type SSL
PKI[13]: CERT_SetKeyExchangeAlg, vpn3k_cert_api.c:896
PKI[13]: CERT_Authenticate, vpn3k_cert_api.c:566
PKI[8]: Authenticate session 0x018c1a5d, non-blocking cb=0x0000559ee0a47e30
PKI[13]: CERT_API_req_enqueue, vpn3k_cert_api.c:2630
PKI[9]: CERT API thread wakes up!
PKI[12]: CERT_API_Q_Process, vpn3k_cert_api.c:2528
PKI[12]: CERT_API_process_req_msg, vpn3k_cert_api.c:2463
PKI[8]: process msg cmd=0, session=0x018c1a5d
PKI[9]: Async locked for session 0x018c1a5d
PKI[12]: pki_ossl_verify_chain_of_certs, pki_ossl_validate.c:1048
PKI[7]: Begin cert chain validation for session 0x018c1a5d
PKI[12]: pki_ossl_find_valid_chain, pki_ossl_validate.c:441
PKI[8]: Begin sorted cert chain
PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:118
PKI[8]: ---------Certificate--------:
Serial Number:
16:cb:75:61:a0:23:45:9c:4a:99:3b:11:82:bb:ac:90
Issuer: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany
Subject: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany

PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:118
PKI[8]: ---------Certificate--------:
Serial Number:
56:00:00:00:21:d9:63:82:33:cf:71:71:17:00:00:00:00:00:21
Issuer: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany
Subject: DC=br, DC=com, DC=mycompany, OU=mycompany STI, OU=Computers, OU=TesteAutent, CN=HQNB316

PKI[8]: End sorted cert chain
PKI[13]: pki_ossl_get_store, pki_ossl_certstore.c:61
PKI[12]: pki_ossl_rebuild_ca_store, pki_ossl_certstore.c:194
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[12]: pki_ossl_rebuild_policies, pki_ossl_policy_transition.c:207
PKI[13]: pki_policy_clear_all, pki_ossl_policy.c:200
PKI[13]: get_policy_list, pki_ossl_policy.c:105
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: pki_policy_free, pki_ossl_policy.c:137
PKI[14]: pki_policy_free, pki_ossl_policy.c:137
PKI[14]: pki_policy_free, pki_ossl_policy.c:137
PKI[12]: pki_ossl_build_tp_policies, pki_ossl_policy_transition.c:130
PKI[13]: pki_policy_query, pki_ossl_policy.c:620
PKI[13]: pki_policy_iterate, pki_ossl_policy.c:222
PKI[13]: get_policy_list, pki_ossl_policy.c:105
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: label: SAMLAzureAD
PKI[13]: TP list label: VPNRA_SelfSigned
PKI[13]: pki_ossl_populate_policy, pki_ossl_policy_transition.c:57
PKI[13]: pki_policy_add, pki_ossl_policy.c:175
PKI[14]: pki_copy_policy_info, pki_ossl_policy.c:123
PKI[13]: pki_policy_insert, pki_ossl_policy.c:154
PKI[13]: get_policy_list, pki_ossl_policy.c:105
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: pki_policy_query, pki_ossl_policy.c:620
PKI[13]: pki_policy_iterate, pki_ossl_policy.c:222
PKI[13]: get_policy_list, pki_ossl_policy.c:105
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: query_policy, pki_ossl_policy.c:597
PKI[13]: label: CA-MyCompany2
PKI[13]: TP list label: VPNRA_SelfSigned
PKI[13]: pki_ossl_populate_policy, pki_ossl_policy_transition.c:57
PKI[13]: pki_policy_add, pki_ossl_policy.c:175
PKI[14]: pki_copy_policy_info, pki_ossl_policy.c:123
PKI[13]: pki_policy_insert, pki_ossl_policy.c:154
PKI[13]: get_policy_list, pki_ossl_policy.c:105
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: pki_policy_query, pki_ossl_policy.c:620
PKI[13]: pki_policy_iterate, pki_ossl_policy.c:222
PKI[13]: get_policy_list, pki_ossl_policy.c:105
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: query_policy, pki_ossl_policy.c:597
PKI[13]: query_policy, pki_ossl_policy.c:597
PKI[13]: label: CA-MyCompany
PKI[13]: TP list label: VPNRA_SelfSigned
PKI[13]: pki_ossl_populate_policy, pki_ossl_policy_transition.c:57
PKI[13]: pki_policy_add, pki_ossl_policy.c:175
PKI[14]: pki_copy_policy_info, pki_ossl_policy.c:123
PKI[13]: pki_policy_insert, pki_ossl_policy.c:154
PKI[13]: get_policy_list, pki_ossl_policy.c:105
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[12]: pki_ossl_build_pool_policy, pki_ossl_policy_transition.c:180
PKI[13]: pki_ossl_populate_policy, pki_ossl_policy_transition.c:57
PKI[13]: pki_policy_add, pki_ossl_policy.c:175
PKI[14]: pki_copy_policy_info, pki_ossl_policy.c:123
PKI[13]: pki_policy_insert, pki_ossl_policy.c:154
PKI[13]: get_policy_list, pki_ossl_policy.c:105
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[12]: pki_ossl_add_list_to_store, pki_ossl_certstore.c:108
PKI[12]: pki_ossl_add_list_to_store, pki_ossl_certstore.c:108
PKI[12]: pki_ossl_crl_add_cache_to_store, pki_ossl_crl_cache.c:1386
PKI[9]: OSSL certstore updated with 2 certs, 0 CRLs and 4 policies, 2 certs mycompany to stack
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:118
PKI[7]: Cert to verify
PKI[7]: ---------Certificate--------:
Serial Number:
56:00:00:00:21:d9:63:82:33:cf:71:71:17:00:00:00:00:00:21
Issuer: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany
Subject: DC=br, DC=com, DC=mycompany, OU=mycompany STI, OU=Computers, OU=TesteAutent, CN=HQNB316

PKI[12]: pki_verify_cb, pki_ossl_validate.c:344
PKI[8]: val status=1: cert subject: /DC=br/DC=com/DC=mycompany/CN=CA-MyCompany. ctx->error: (0)ok, cert_idx: 1
PKI[12]: pki_verify_cb, pki_ossl_validate.c:344
PKI[8]: val status=1: cert subject: /DC=br/DC=com/DC=mycompany/OU=mycompany STI/OU=Computers/OU=TesteAutent/CN=HQNB316. ctx->error: ( 0)ok, cert_idx: 0
PKI[8]: pki_ossl_find_valid_chain took 599 microsecs
PKI[6]: Verified chain:
PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:118
PKI[6]: ---------Certificate--------:
Serial Number:
56:00:00:00:21:d9:63:82:33:cf:71:71:17:00:00:00:00:00:21
Issuer: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany
Subject: DC=br, DC=com, DC=mycompany, OU=mycompany STI, OU=Computers, OU=TesteAutent, CN=HQNB316

PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:118
PKI[6]: ---------Certificate--------:
Serial Number:
16:cb:75:61:a0:23:45:9c:4a:99:3b:11:82:bb:ac:90
Issuer: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany
Subject: DC=br, DC=com, DC=mycompany, CN=CA-MyCompany

PKI[13]: pki_ossl_policy_select, pki_ossl_policy.c:545
PKI[9]: Policy search for cert 0
PKI[13]: pki_policy_iterate, pki_ossl_policy.c:222
PKI[13]: get_policy_list, pki_ossl_policy.c:105
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy SAMLAzureAD for conn type 0x20
PKI[13]: finger_print_nonzero, pki_ossl_policy.c:72
PKI[9]: pki_is_policy_match: policy SAMLAzureAD rejected. No matching fingerprint in chain
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy CA-MyCompany2 for conn type 0x20
PKI[13]: finger_print_nonzero, pki_ossl_policy.c:72
PKI[9]: pki_is_policy_match: policy CA-MyCompany2 rejected. No matching fingerprint in chain
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy CA-MyCompany for conn type 0x20
PKI[9]: pki_is_policy_match: policy CA-MyCompany rejected (usage: 640). conn_type 32 not allowed
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy Trustpool for conn type 0x20
PKI[13]: finger_print_nonzero, pki_ossl_policy.c:72
PKI[9]: pki_is_policy_match: policy Trustpool rejected. Cert match required
PKI[9]: Policy search for cert 1
PKI[13]: pki_policy_iterate, pki_ossl_policy.c:222
PKI[13]: get_policy_list, pki_ossl_policy.c:105
PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:41
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy SAMLAzureAD for conn type 0x20
PKI[13]: finger_print_nonzero, pki_ossl_policy.c:72
PKI[9]: pki_is_policy_match: policy SAMLAzureAD rejected. No matching fingerprint in chain
PKI[13]: pki_is_policy_match, pki_ossl_policy.c:348
PKI[9]: Evaluating policy CA-MyCompany2 for conn type 0x20
PKI[13]: finger_print_nonzero, pki_ossl_policy.c:72
PKI[9]: selected policy CA-MyCompany2 based on cert idx 1
PKI[8]: trusted_cert_idx: 1, top_of chain_idx 1
PKI[7]: Selected policy CA-MyCompany2 for session 0x018c1a5d
PKI[13]: pki_ossl_check_ee_ku, pki_ossl_validate.c:958
PKI[13]: get_tp_from_policy, pki_ossl_policy_transition.c:228
PKI[11]: polinfo->name: CA-MyCompany2
PKI[11]: tp label: Trustpool
PKI[13]: label: CA-MyCompany2
PKI[13]: TP list label: VPNRA_SelfSigned
PKI[7]: CRYPTO_PKI:check_key_usage: Checking KU for case VPN peer certs.
PKI[7]: CRYPTO_PKI:check_key_usage: KU bit digitalSignature is ON.
PKI[7]: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.1, NOT acceptable for usage type SSL VPN Peer
PKI[7]: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2 acceptable for usage type: SSL VPN Peer
PKI[7]: check_key_usage:Key Usage check OK
PKI[12]: pki_ossl_do_callback, pki_ossl_validate.c:160
PKI[13]: CERT_Close, vpn3k_cert_api.c:284
PKI[8]: Close session 0x018c1a5d asynchronously
PKI[13]: CERT_API_req_enqueue, vpn3k_cert_api.c:2630
PKI[9]: Async unlocked for session 0x018c1a5d
PKI[12]: CERT_API_Q_Process, vpn3k_cert_api.c:2528
PKI[12]: CERT_API_process_req_msg, vpn3k_cert_api.c:2463
PKI[8]: process msg cmd=1, session=0x018c1a5d
PKI[9]: Async locked for session 0x018c1a5d
PKI[9]: Async unlocked for session 0x018c1a5d
PKI[13]: pki_ossl_free_valctx, pki_ossl_validate.c:247
PKI[9]: CERT API thread sleeps!
webvpn_file_encoding.c:webvpn_get_file_encoding_db_first[68]
webvpn_db.c:webvpn_get_server_db_first[187]
webvpn_file_encoding.c:webvpn_get_file_encoding_db_first[68]
webvpn_db.c:webvpn_get_port_forward_db_first[893]

 

 

 

Hey andre.ortega, 

Looks like now the connection fails for something else, try running the following logs:

logging class svc buffered 7

logging class ca buffered 7

logging class auth buffered 7

logging class ssl buffered 7

 

You can share the logs after a test using "show log" so we can try to figure it out why the connection still fails.

 

-JP-

Hope this helps!

Here are the logs:

My IP (client) is 187.10.122.126.


QHFW
QHFW sh run logging
logging enable
logging timestamp
logging emblem
logging list MANAGER_VPN_EVENT_LIST level notifications class auth
logging list MANAGER_VPN_EVENT_LIST level notifications class vpn
logging list MANAGER_VPN_EVENT_LIST level notifications class vpnc
logging list MANAGER_VPN_EVENT_LIST level notifications class vpnfo
logging list MANAGER_VPN_EVENT_LIST level notifications class vpnlb
logging list MANAGER_VPN_EVENT_LIST level notifications class webfo
logging list MANAGER_VPN_EVENT_LIST level notifications class webvpn
logging list MANAGER_VPN_EVENT_LIST level notifications class ca
logging list MANAGER_VPN_EVENT_LIST level notifications class svc
logging list MANAGER_VPN_EVENT_LIST level notifications class ssl
logging list MANAGER_VPN_EVENT_LIST level notifications class dap
logging list MANAGER_VPN_EVENT_LIST level notifications class ipaa
logging buffer-size 20480
logging buffered errors
logging trap warnings
logging FMC MANAGER_VPN_EVENT_LIST
logging device-id hostname
logging host inside 10.10.10.19 format emblem
logging flash-minimum-free 1024
logging flash-maximum-allocation 3076
logging permit-hostdown
logging class auth buffered debugging
logging class ca buffered debugging
logging class svc buffered debugging
logging class ssl buffered debugging
no logging message 106015
no logging message 313005
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
QHFW show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Timezone: disabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level errors, class auth ca svc ssl, 6519421 messages logged
Trap logging: level warnings, facility 20, 12167809 messages logged
Logging to inside 10.10.10.19 (EMBLEM format), UDP TX:166848234 errors: 964 dropped: 26093
Global TCP syslog stats::
NOT_PUTABLE: 0, ALL_CHANNEL_DOWN: 0
CHANNEL_FLAP_CNT: 0, SYSLOG_PKT_LOSS: 0
PARTIAL_REWRITE_CNT: 0
Permit-hostdown logging: enabled
History logging: disabled
Device ID: hostname "ADDHQFW01"
Mail logging: disabled
ASDM logging: disabled
FMC logging: list MANAGER_VPN_EVENT_LIST, class auth ca svc ssl, 5938777 messages logged
ide2:128.1.80.113 (type 3, code 3)
<163>:Aug 07 14:03:18 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:128.1.80.113 (type 3, code 3)
<163>:Aug 07 14:03:18 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:128.1.80.113 (type 3, code 3)
<163>:Aug 07 14:03:18 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:128.1.80.151 (type 3, code 3)
<163>:Aug 07 14:03:18 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:128.1.80.151 (type 3, code 3)
<163>:Aug 07 14:03:18 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:128.1.80.151 (type 3, code 3)
<163>:Aug 07 14:03:18 UTC: %FTD-session-3-106014: Deny inbound icmp src inside:10.10.10.19 dst nlp_int_tap:169.254.1.2 (type 3, code 10)
<163>:Aug 07 14:03:19 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:128.1.80.115 (type 3, code 3)
<163>:Aug 07 14:03:19 UTC: %FTD-session-3-106014: Deny inbound icmp src inside:10.10.10.19 dst nlp_int_tap:169.254.1.2 (type 3, code 10)
<163>:Aug 07 14:03:19 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:128.1.80.115 (type 3, code 3)
<163>:Aug 07 14:03:19 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:128.1.80.115 (type 3, code 3)
<163>:Aug 07 14:03:19 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:128.1.80.115 (type 3, code 3)
<163>:Aug 07 14:03:20 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:128.1.80.115 (type 3, code 3)
<163>:Aug 07 14:03:20 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:128.1.80.115 (type 3, code 3)
<163>:Aug 07 14:03:20 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:199.91.72.215 (type 3, code 3)
<163>:Aug 07 14:03:20 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:199.91.72.215 (type 3, code 3)
<163>:Aug 07 14:03:20 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:199.91.72.215 (type 3, code 3)
<163>:Aug 07 14:03:20 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:199.91.72.215 (type 3, code 3)
<163>:Aug 07 14:03:20 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:199.91.72.215 (type 3, code 3)
<163>:Aug 07 14:03:20 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:199.91.72.215 (type 3, code 3)
<163>:Aug 07 14:03:20 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:199.91.72.212 (type 3, code 3)
<163>:Aug 07 14:03:20 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:128.1.80.124 (type 3, code 3)
<163>:Aug 07 14:03:20 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:128.1.80.124 (type 3, code 3)
<163>:Aug 07 14:03:20 UTC: %FTD-session-3-106014: Deny inbound icmp src inside:10.10.10.19 dst nlp_int_tap:169.254.1.2 (type 3, code 10)
<163>:Aug 07 14:03:20 UTC: %FTD-session-3-305006: regular translation creation failed for icmp src guest:172.31.0.2 dst outside2:199.91.72.212 (type 3, code 3)
<166>:Aug 07 14:03:25 UTC: %FTD-ssl-6-725007: SSL session with client outside2:187.10.122.126/8819 to 201.0.207.XX/443 terminated
<166>:Aug 07 14:03:27 UTC: %FTD-ssl-6-725001: Starting SSL handshake with client outside2:187.10.122.126/8845 to 201.0.207.XX/443 for TLS session
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725010: Device supports the following 20 cipher(s)
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[1] : ECDHE-ECDSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[2] : ECDHE-RSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[3] : DHE-RSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[4] : AES256-GCM-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[5] : ECDHE-ECDSA-AES256-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[6] : ECDHE-RSA-AES256-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[7] : DHE-RSA-AES256-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[8] : AES256-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[9] : ECDHE-ECDSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[10] : ECDHE-RSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[11] : DHE-RSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[12] : AES128-GCM-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[13] : ECDHE-ECDSA-AES128-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[14] : ECDHE-RSA-AES128-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[15] : DHE-RSA-AES128-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[16] : AES128-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[17] : DHE-RSA-AES256-SHA
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[18] : AES256-SHA
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[19] : DHE-RSA-AES128-SHA
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[20] : AES128-SHA
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725008: SSL client outside2:187.10.122.126/8845 to 201.0.207.XX/443 proposes the following 19 cipher(s)
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[1] : ECDHE-RSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[2] : ECDHE-ECDSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[3] : ECDHE-RSA-AES256-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[4] : ECDHE-ECDSA-AES256-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[5] : DHE-RSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[6] : DHE-RSA-AES256-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[7] : AES256-GCM-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[8] : AES256-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[9] : AES256-SHA
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[10] : ECDHE-RSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[11] : ECDHE-ECDSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[12] : ECDHE-RSA-AES128-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[13] : ECDHE-ECDSA-AES128-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[14] : DHE-RSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[15] : DHE-RSA-AES128-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[16] : DHE-RSA-AES128-SHA
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[17] : AES128-GCM-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[18] : AES128-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[19] : AES128-SHA
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725012: Device chooses cipher ECDHE-RSA-AES256-GCM-SHA384 for the SSL session with client outside2:187.10.122.126/8845 to 201.0.207.XX/443
<166>:Aug 07 14:03:27 UTC: %FTD-ssl-6-725016: Device selects trust-point CA-MyCompany for client outside2:187.10.122.126/8845 to 201.0.207.XX/443
<166>:Aug 07 14:03:27 UTC: %FTD-ssl-6-725002: Device completed SSL handshake with client outside2:187.10.122.126/8845 to 201.0.207.XX/443 for TLSv1.2 session
<166>:Aug 07 14:03:27 UTC: %FTD-ssl-6-725007: SSL session with client outside2:187.10.122.126/8845 to 201.0.207.XX/443 terminated
<166>:Aug 07 14:03:27 UTC: %FTD-ssl-6-725001: Starting SSL handshake with client outside2:187.10.122.126/8846 to 201.0.207.XX/443 for TLS session
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725010: Device supports the following 20 cipher(s)
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[1] : ECDHE-ECDSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[2] : ECDHE-RSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[3] : DHE-RSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[4] : AES256-GCM-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[5] : ECDHE-ECDSA-AES256-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[6] : ECDHE-RSA-AES256-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[7] : DHE-RSA-AES256-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[8] : AES256-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[9] : ECDHE-ECDSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[10] : ECDHE-RSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[11] : DHE-RSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[12] : AES128-GCM-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[13] : ECDHE-ECDSA-AES128-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[14] : ECDHE-RSA-AES128-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[15] : DHE-RSA-AES128-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[16] : AES128-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[17] : DHE-RSA-AES256-SHA
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[18] : AES256-SHA
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[19] : DHE-RSA-AES128-SHA
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[20] : AES128-SHA
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725008: SSL client outside2:187.10.122.126/8846 to 201.0.207.XX/443 proposes the following 19 cipher(s)
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[1] : ECDHE-RSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[2] : ECDHE-ECDSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[3] : ECDHE-RSA-AES256-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[4] : ECDHE-ECDSA-AES256-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[5] : DHE-RSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[6] : DHE-RSA-AES256-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[7] : AES256-GCM-SHA384
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[8] : AES256-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[9] : AES256-SHA
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[10] : ECDHE-RSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[11] : ECDHE-ECDSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[12] : ECDHE-RSA-AES128-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[13] : ECDHE-ECDSA-AES128-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[14] : DHE-RSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[15] : DHE-RSA-AES128-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[16] : DHE-RSA-AES128-SHA
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[17] : AES128-GCM-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[18] : AES128-SHA256
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725011: Cipher[19] : AES128-SHA
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725012: Device chooses cipher ECDHE-RSA-AES256-GCM-SHA384 for the SSL session with client outside2:187.10.122.126/8846 to 201.0.207.XX/443
<166>:Aug 07 14:03:27 UTC: %FTD-ssl-6-725016: Device selects trust-point CA-MyCompany for client outside2:187.10.122.126/8846 to 201.0.207.XX/443
<167>:Aug 07 14:03:27 UTC: %FTD-ssl-7-725017: No certificates received during the handshake with client outside2:187.10.122.126/8846 to 201.0.207.XX/443 for DTLSv1 session
<166>:Aug 07 14:03:27 UTC: %FTD-ssl-6-725002: Device completed SSL handshake with client outside2:187.10.122.126/8846 to 201.0.207.XX/443 for TLSv1.2 session
<166>:Aug 07 14:03:28 UTC: %FTD-ssl-6-725007: SSL session with client outside2:187.10.122.126/8846 to 201.0.207.XX/443 terminated
<166>:Aug 07 14:03:28 UTC: %FTD-ssl-6-725001: Starting SSL handshake with client outside2:187.10.122.126/8847 to 201.0.207.XX/443 for TLS session
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725010: Device supports the following 20 cipher(s)
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[1] : ECDHE-ECDSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[2] : ECDHE-RSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[3] : DHE-RSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[4] : AES256-GCM-SHA384
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[5] : ECDHE-ECDSA-AES256-SHA384
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[6] : ECDHE-RSA-AES256-SHA384
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[7] : DHE-RSA-AES256-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[8] : AES256-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[9] : ECDHE-ECDSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[10] : ECDHE-RSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[11] : DHE-RSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[12] : AES128-GCM-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[13] : ECDHE-ECDSA-AES128-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[14] : ECDHE-RSA-AES128-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[15] : DHE-RSA-AES128-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[16] : AES128-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[17] : DHE-RSA-AES256-SHA
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[18] : AES256-SHA
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[19] : DHE-RSA-AES128-SHA
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[20] : AES128-SHA
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725008: SSL client outside2:187.10.122.126/8847 to 201.0.207.XX/443 proposes the following 19 cipher(s)
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[1] : ECDHE-RSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[2] : ECDHE-ECDSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[3] : ECDHE-RSA-AES256-SHA384
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[4] : ECDHE-ECDSA-AES256-SHA384
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[5] : DHE-RSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[6] : DHE-RSA-AES256-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[7] : AES256-GCM-SHA384
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[8] : AES256-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[9] : AES256-SHA
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[10] : ECDHE-RSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[11] : ECDHE-ECDSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[12] : ECDHE-RSA-AES128-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[13] : ECDHE-ECDSA-AES128-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[14] : DHE-RSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[15] : DHE-RSA-AES128-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[16] : DHE-RSA-AES128-SHA
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[17] : AES128-GCM-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[18] : AES128-SHA256
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725011: Cipher[19] : AES128-SHA
<167>:Aug 07 14:03:28 UTC: %FTD-ssl-7-725012: Device chooses cipher ECDHE-RSA-AES256-GCM-SHA384 for the SSL session with client outside2:187.10.122.126/8847 to 201.0.207.XX/443
<166>:Aug 07 14:03:28 UTC: %FTD-ssl-6-725016: Device selects trust-point CA-MyCompany for client outside2:187.10.122.126/8847 to 201.0.207.XX/443
<166>:Aug 07 14:03:29 UTC: %FTD-ssl-6-725001: Starting SSL handshake with client outside2:187.10.122.126/8848 to 201.0.207.XX/443 for TLS session
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725010: Device supports the following 20 cipher(s)
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[1] : ECDHE-ECDSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[2] : ECDHE-RSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[3] : DHE-RSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[4] : AES256-GCM-SHA384
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[5] : ECDHE-ECDSA-AES256-SHA384
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[6] : ECDHE-RSA-AES256-SHA384
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[7] : DHE-RSA-AES256-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[8] : AES256-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[9] : ECDHE-ECDSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[10] : ECDHE-RSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[11] : DHE-RSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[12] : AES128-GCM-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[13] : ECDHE-ECDSA-AES128-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[14] : ECDHE-RSA-AES128-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[15] : DHE-RSA-AES128-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[16] : AES128-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[17] : DHE-RSA-AES256-SHA
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[18] : AES256-SHA
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[19] : DHE-RSA-AES128-SHA
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[20] : AES128-SHA
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725008: SSL client outside2:187.10.122.126/8848 to 201.0.207.XX/443 proposes the following 19 cipher(s)
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[1] : ECDHE-RSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[2] : ECDHE-ECDSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[3] : ECDHE-RSA-AES256-SHA384
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[4] : ECDHE-ECDSA-AES256-SHA384
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[5] : DHE-RSA-AES256-GCM-SHA384
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[6] : DHE-RSA-AES256-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[7] : AES256-GCM-SHA384
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[8] : AES256-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[9] : AES256-SHA
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[10] : ECDHE-RSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[11] : ECDHE-ECDSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[12] : ECDHE-RSA-AES128-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[13] : ECDHE-ECDSA-AES128-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[14] : DHE-RSA-AES128-GCM-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[15] : DHE-RSA-AES128-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[16] : DHE-RSA-AES128-SHA
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[17] : AES128-GCM-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[18] : AES128-SHA256
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725011: Cipher[19] : AES128-SHA
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725012: Device chooses cipher ECDHE-RSA-AES256-GCM-SHA384 for the SSL session with client outside2:187.10.122.126/8848 to 201.0.207.XX/443
<166>:Aug 07 14:03:29 UTC: %FTD-ssl-6-725016: Device selects trust-point CA-MyCompany for client outside2:187.10.122.126/8848 to 201.0.207.XX/443
<167>:Aug 07 14:03:29 UTC: %FTD-ssl-7-725017: No certificates received during the handshake with client outside2:187.10.122.126/8848 to 201.0.207.XX/443 for DTLSv1 session
<166>:Aug 07 14:03:29 UTC: %FTD-ssl-6-725002: Device completed SSL handshake with client outside2:187.10.122.126/8848 to 201.0.207.XX/443 for TLSv1.2 session
<163>: 2023 Aug 07 14:03:29 UTC 58d41f9a-2dc2-11eb-8f4e-cea5e9e7bd23 : %FTD-vpn-3-713048: IP = 200.225.197.96, Error processing payload: Payload ID: 1
QHFW

Kasper Elsborg
Level 1
Level 1

The bug is still going on, in 7.4.1.1

 

crypto ca trustpoint cert.xxx.xxx.xx
enrollment terminal
fqdn cert.xxx.xxx.xx
subject-name CN=cert.xxx.xxx.xx,C=YY
keypair <Default-RSA-Key>
no validation-usage
no ca-check
crl configure
crypto ca trustpoint 2cert.xxx.xxx.xx
enrollment terminal
fqdn cert.xxx.xxx.xx
subject-name OU=Lab,CN=cert.xxx.xxx.xx,C=YY
keypair <Default-RSA-Key>
no ca-check
crl configure

PKI[9]: Evaluating policy cert.xxx.xxx.xx for conn type 0x20
PKI[9]: pki_is_policy_match: policy cert.xxx.xxx.xx rejected (usage: 6784). conn_type 32 not allowed

BR. Kasper

 

Hi Kasper, 

Thanks for confirming this is still happening in 7.4.1.

Just to add a little more context about why CSCwa97394 is actually showing up as fixed, this behavior was confirmed to be expected based on multiple factors, if the workaround of removing the first certificate and then adding the second is not a good option in your case i'll recommend you to open a tac case so we can tshoot and check all possible options to achieve your goal.

-JP-

Hope this helps!