03-22-2013
06:08 PM
- last edited on
02-21-2020
11:53 PM
by
cc_security_adm
I have an ASA (8.4.5) configured with a connection profile that does AAA and Certificate authentication. Once I have the anyconnect 3.1 on a win Xp system, it works perfectly. When I do a web install, it goes through the normal download, log-in, re-download then says "Certificate Authentication Failure" If I change the profile to AAA only, it installs fine. I even get the error if I launch from the web after I have the client on the PC.
Any ideas why this is not working?
Sent from Cisco Technical Support iPad App
03-23-2013 09:04 PM
Hi there,
Is the Root certificate installed on the ASA?
Does the client have a valid Client certificate?
Are you testing with an admin account?
Could you share the "debug crypto ca 255" output during a connection attempt?
HTH.
Portu.
03-25-2013 05:50 AM
The client PC has a machine certificate. The ASA has a copy of the certificate from the CA that signed the machine cert. I am logging in with a user account not an admin account. Note that if anyconnect is installed on the client PC, I can use it to connect just fine. It's only the web install that fails. Below is the output of the debug crypto ca 255:
asa-vpn-1/act# CERT_API: Authenticate session 0x30c0bcbf, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x30c0bcbf
CERT_API: Async locked for session 0x30c0bcbf
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
89 c7 b4 60 20 08 0c a9 6f a0 49 67 6f f5 4e 51 | ...` ...o.Igo.NQ
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 607A635F4286368E4E977C7BFE1C17E6, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x30c0bcbf asynchronously
CERT_API: Async unlocked for session 0x30c0bcbf
CERT_API: process msg cmd=1, session=0x30c0bcbf
CERT_API: Async locked for session 0x30c0bcbf
CERT_API: Async unlocked for session 0x30c0bcbf
CERT API thread sleeps!
CERT_API: Authenticate session 0x310022b5, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x310022b5
CERT_API: Async locked for session 0x310022b5
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
89 c7 b4 60 20 08 0c a9 6f a0 49 67 6f f5 4e 51 | ...` ...o.Igo.NQ
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 607A635F4286368E4E977C7BFE1C17E6, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x310022b5 asynchronously
CERT_API: Async unlocked for session 0x310022b5
CERT_API: process msg cmd=1, session=0x310022b5
CERT_API: Async locked for session 0x310022b5
CERT_API: Async unlocked for session 0x310022b5
CERT API thread sleeps!
CERT_API: Authenticate session 0x314d3205, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x314d3205
CERT_API: Async locked for session 0x314d3205
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
ea dd 93 e8 d0 84 2a b6 8c 5f 9c ba e3 db 3e 9f | ......*.._....>.
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 4398D2801DA922A24EDB059F3459001A, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x314d3205 asynchronously
CERT_API: Async unlocked for session 0x314d3205
CERT_API: process msg cmd=1, session=0x314d3205
CERT_API: Async locked for session 0x314d3205
CERT_API: Async unlocked for session 0x314d3205
CERT API thread sleeps!
CERT_API: Authenticate session 0x31ad6583, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x31ad6583
CERT_API: Async locked for session 0x31ad6583
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
ea dd 93 e8 d0 84 2a b6 8c 5f 9c ba e3 db 3e 9f | ......*.._....>.
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 4398D2801DA922A24EDB059F3459001A, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x31ad6583 asynchronously
CERT_API: Async unlocked for session 0x31ad6583
CERT_API: process msg cmd=1, session=0x31ad6583
CERT_API: Async locked for session 0x31ad6583
CERT_API: Async unlocked for session 0x31ad6583
CERT API thread sleeps!
CERT_API: Authenticate session 0x31c167bb, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x31c167bb
CERT_API: Async locked for session 0x31c167bb
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
ea dd 93 e8 d0 84 2a b6 8c 5f 9c ba e3 db 3e 9f | ......*.._....>.
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 4398D2801DA922A24EDB059F3459001A, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x31c167bb asynchronously
CERT_API: Async unlocked for session 0x31c167bb
CERT_API: process msg cmd=1, session=0x31c167bb
CERT_API: Async locked for session 0x31c167bb
CERT_API: Async unlocked for session 0x31c167bb
CERT API thread sleeps!
CERT_API: Authenticate session 0x3209b801, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x3209b801
CERT_API: Async locked for session 0x3209b801
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f | .=......u.(.z...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x3209b801 asynchronously
CERT_API: Async unlocked for session 0x3209b801
CERT_API: process msg cmd=1, session=0x3209b801
CERT_API: Async locked for session 0x3209b801
CERT_API: Async unlocked for session 0x3209b801
CERT API thread sleeps!
CERT_API: Authenticate session 0x3266eb61, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x3266eb61
CERT_API: Async locked for session 0x3266eb61
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f | .=......u.(.z...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x3266eb61 asynchronously
CERT_API: Async unlocked for session 0x3266eb61
CERT_API: process msg cmd=1, session=0x3266eb61
CERT_API: Async locked for session 0x3266eb61
CERT_API: Async unlocked for session 0x3266eb61
CERT API thread sleeps!
CERT_API: Authenticate session 0x328359af, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x328359af
CERT_API: Async locked for session 0x328359af
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f | .=......u.(.z...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x328359af asynchronously
CERT_API: Async unlocked for session 0x328359af
CERT_API: process msg cmd=1, session=0x328359af
CERT_API: Async locked for session 0x328359af
CERT_API: Async unlocked for session 0x328359af
CERT API thread sleeps!
CERT_API: Authenticate session 0x32c7c677, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x32c7c677
CERT_API: Async locked for session 0x32c7c677
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f | .=......u.(.z...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x32c7c677 asynchronously
CERT_API: Async unlocked for session 0x32c7c677
CERT_API: process msg cmd=1, session=0x32c7c677
CERT_API: Async locked for session 0x32c7c677
CERT_API: Async unlocked for session 0x32c7c677
CERT API thread sleeps!
CERT_API: Authenticate session 0x3305560d, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x3305560d
CERT_API: Async locked for session 0x3305560d
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f | .=......u.(.z...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x3305560d asynchronously
CERT_API: Async unlocked for session 0x3305560d
CERT_API: process msg cmd=1, session=0x3305560d
CERT_API: Async locked for session 0x3305560d
CERT_API: Async unlocked for session 0x3305560d
CERT API thread sleeps!
CERT_API: Authenticate session 0x3378de7d, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x3378de7d
CERT_API: Async locked for session 0x3378de7d
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f | .=......u.(.z...
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x3378de7d asynchronously
CERT_API: Async unlocked for session 0x3378de7d
CERT_API: process msg cmd=1, session=0x3378de7d
CERT_API: Async locked for session 0x3378de7d
CERT_API: Async unlocked for session 0x3378de7d
CERT API thread sleeps!
03-25-2013 04:57 PM
I think I may have MIS-understood one of the questions. The account I tested with IS a local admin on the PC.
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide