Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1566
Views
0
Helpful
3
Replies

anyconnect web install getting certificate validation failure.

bdantzig
Level 1
Level 1

‎03-22-2013 06:08 PM - last edited on ‎02-21-2020 11:53 PM by Community Manager

I have an ASA (8.4.5) configured with a connection profile that does AAA and Certificate authentication. Once I have the anyconnect 3.1 on a win Xp system, it works perfectly. When I do a web install, it goes through the normal download, log-in, re-download then says "Certificate Authentication Failure" If I change the profile to AAA only, it installs fine. I even get the error if I launch from the web after I have the client on the PC.

Any ideas why this is not working?

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
3 Replies 3

Javier Portuguez
Level 9
Level 9

‎03-23-2013 09:04 PM

Hi there,

Is the Root certificate installed on the ASA?

Does the client have a valid Client certificate?

Are you testing with an admin account?

Could you share the "debug crypto ca 255" output during a connection attempt?

HTH.

Portu.

0 Helpful

bdantzig
Level 1
Level 1
In response to Javier Portuguez

‎03-25-2013 05:50 AM

The client PC has a machine certificate. The ASA has a copy of the certificate from the CA that signed the machine cert. I am logging in with a user account not an admin account. Note that if anyconnect is installed on the client PC, I can use it to connect just fine. It's only the web install that fails. Below is the output of the debug crypto ca 255:

asa-vpn-1/act# CERT_API: Authenticate session 0x30c0bcbf, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x30c0bcbf
CERT_API: Async locked for session 0x30c0bcbf

CRYPTO_PKI: Checking to see if an identical cert is
already in the database...

CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
89 c7 b4 60 20 08 0c a9 6f a0 49 67 6f f5 4e 51    |  ...` ...o.Igo.NQ

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 607A635F4286368E4E977C7BFE1C17E6, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x30c0bcbf asynchronously
CERT_API: Async unlocked for session 0x30c0bcbf
CERT_API: process msg cmd=1, session=0x30c0bcbf
CERT_API: Async locked for session 0x30c0bcbf
CERT_API: Async unlocked for session 0x30c0bcbf
CERT API thread sleeps!
CERT_API: Authenticate session 0x310022b5, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x310022b5
CERT_API: Async locked for session 0x310022b5

CRYPTO_PKI: Checking to see if an identical cert is
already in the database...

CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
89 c7 b4 60 20 08 0c a9 6f a0 49 67 6f f5 4e 51    |  ...` ...o.Igo.NQ

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 607A635F4286368E4E977C7BFE1C17E6, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x310022b5 asynchronously
CERT_API: Async unlocked for session 0x310022b5
CERT_API: process msg cmd=1, session=0x310022b5
CERT_API: Async locked for session 0x310022b5
CERT_API: Async unlocked for session 0x310022b5
CERT API thread sleeps!
CERT_API: Authenticate session 0x314d3205, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x314d3205
CERT_API: Async locked for session 0x314d3205

CRYPTO_PKI: Checking to see if an identical cert is
already in the database...

CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
ea dd 93 e8 d0 84 2a b6 8c 5f 9c ba e3 db 3e 9f    |  ......*.._....>.

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 4398D2801DA922A24EDB059F3459001A, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x314d3205 asynchronously
CERT_API: Async unlocked for session 0x314d3205
CERT_API: process msg cmd=1, session=0x314d3205
CERT_API: Async locked for session 0x314d3205
CERT_API: Async unlocked for session 0x314d3205
CERT API thread sleeps!
CERT_API: Authenticate session 0x31ad6583, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x31ad6583
CERT_API: Async locked for session 0x31ad6583

CRYPTO_PKI: Checking to see if an identical cert is
already in the database...

CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
ea dd 93 e8 d0 84 2a b6 8c 5f 9c ba e3 db 3e 9f    |  ......*.._....>.

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 4398D2801DA922A24EDB059F3459001A, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x31ad6583 asynchronously
CERT_API: Async unlocked for session 0x31ad6583
CERT_API: process msg cmd=1, session=0x31ad6583
CERT_API: Async locked for session 0x31ad6583
CERT_API: Async unlocked for session 0x31ad6583
CERT API thread sleeps!
CERT_API: Authenticate session 0x31c167bb, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x31c167bb
CERT_API: Async locked for session 0x31c167bb

CRYPTO_PKI: Checking to see if an identical cert is
already in the database...

CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
ea dd 93 e8 d0 84 2a b6 8c 5f 9c ba e3 db 3e 9f    |  ......*.._....>.

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 4398D2801DA922A24EDB059F3459001A, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x31c167bb asynchronously
CERT_API: Async unlocked for session 0x31c167bb
CERT_API: process msg cmd=1, session=0x31c167bb
CERT_API: Async locked for session 0x31c167bb
CERT_API: Async unlocked for session 0x31c167bb
CERT API thread sleeps!
CERT_API: Authenticate session 0x3209b801, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x3209b801
CERT_API: Async locked for session 0x3209b801

CRYPTO_PKI: Checking to see if an identical cert is
already in the database...

CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f    |  .=......u.(.z...

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x3209b801 asynchronously
CERT_API: Async unlocked for session 0x3209b801
CERT_API: process msg cmd=1, session=0x3209b801
CERT_API: Async locked for session 0x3209b801
CERT_API: Async unlocked for session 0x3209b801
CERT API thread sleeps!
CERT_API: Authenticate session 0x3266eb61, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x3266eb61
CERT_API: Async locked for session 0x3266eb61

CRYPTO_PKI: Checking to see if an identical cert is
already in the database...

CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f    |  .=......u.(.z...

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x3266eb61 asynchronously
CERT_API: Async unlocked for session 0x3266eb61
CERT_API: process msg cmd=1, session=0x3266eb61
CERT_API: Async locked for session 0x3266eb61
CERT_API: Async unlocked for session 0x3266eb61
CERT API thread sleeps!
CERT_API: Authenticate session 0x328359af, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x328359af
CERT_API: Async locked for session 0x328359af

CRYPTO_PKI: Checking to see if an identical cert is
already in the database...

CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f    |  .=......u.(.z...

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x328359af asynchronously
CERT_API: Async unlocked for session 0x328359af
CERT_API: process msg cmd=1, session=0x328359af
CERT_API: Async locked for session 0x328359af
CERT_API: Async unlocked for session 0x328359af
CERT API thread sleeps!
CERT_API: Authenticate session 0x32c7c677, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x32c7c677
CERT_API: Async locked for session 0x32c7c677

CRYPTO_PKI: Checking to see if an identical cert is
already in the database...

CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f    |  .=......u.(.z...

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x32c7c677 asynchronously
CERT_API: Async unlocked for session 0x32c7c677
CERT_API: process msg cmd=1, session=0x32c7c677
CERT_API: Async locked for session 0x32c7c677
CERT_API: Async unlocked for session 0x32c7c677
CERT API thread sleeps!
CERT_API: Authenticate session 0x3305560d, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x3305560d
CERT_API: Async locked for session 0x3305560d

CRYPTO_PKI: Checking to see if an identical cert is
already in the database...

CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f    |  .=......u.(.z...

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x3305560d asynchronously
CERT_API: Async unlocked for session 0x3305560d
CERT_API: process msg cmd=1, session=0x3305560d
CERT_API: Async locked for session 0x3305560d
CERT_API: Async unlocked for session 0x3305560d
CERT API thread sleeps!
CERT_API: Authenticate session 0x3378de7d, non-blocking cb=0x08eb6950
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x3378de7d
CERT_API: Async locked for session 0x3378de7d

CRYPTO_PKI: Checking to see if an identical cert is
already in the database...

CRYPTO_PKI: looking for cert in handle=0x722e0784, digest=
cd 3d c6 c8 d4 8d ba 85 75 9b 28 9e 7a e0 97 0f    |  .=......u.(.z...

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 0B0D7E1CE0870FBE483AFFF974C43AD7, subject name: cn=CiscoSecureDesktop, issuer name: cn=CiscoSecureDesktop .
CERT_API: calling user callback=0x08eb6950 with status=1
CERT_API: Close session 0x3378de7d asynchronously
CERT_API: Async unlocked for session 0x3378de7d
CERT_API: process msg cmd=1, session=0x3378de7d
CERT_API: Async locked for session 0x3378de7d
CERT_API: Async unlocked for session 0x3378de7d
CERT API thread sleeps!

0 Helpful

bdantzig
Level 1
Level 1

‎03-25-2013 04:57 PM

I think I may have MIS-understood one of the questions. The account I tested with IS a local admin on the PC.


Sent from Cisco Technical Support Android App

0 Helpful
Customers Also Viewed These Support Documents