12-15-2016 08:30 AM - edited 02-21-2020 09:05 PM
I have a problem with latest Anyconnect Mobile clients, on any device(iPhone,PC..) I have this error message.
Anyconnect cannot verify the VPN server : fw01.cert.loc
Certificate does not match the server name
Certificate is from an untrusted source
I have win 2012r2 external Ca
in asa installed windows CA and Identify certificate via SCEP, when try to connect see above error aN anyconnect version 4.3 on client pc install user certificate and CA certificate.
need authentication via certificate only. WHEN I try to connect to asa 8.4 see error above and after push connect anyway see the username and password windows .
please help
12-15-2016 03:55 PM
Hi elnurh,
The message you are getting does not have anything to do with certificate authentication but with the SSL certificate check on the ASA, can you share the following configuration:
sh run all ssl
sh cry ca certificates
sh run tunnel-group <> (specify the tunnel you are trying to connect)
Hope this info helps!!
Rate if helps you!!
-JP-
12-16-2016 06:00 AM
ssl server-version any
ssl client-version any
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-sha1
tunnel-group anyconn_prof type remote-access
tunnel-group anyconn_prof general-attributes
address-pool rem_vpn_pool
default-group-policy anyconn_gp
tunnel-group anyconn_prof webvpn-attributes
authentication certificate
group-alias corp enable
Certificate
Status: Available
Certificate Serial Number: 1d0000000c44026cb756dc9d1600020000000c
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=adca
dc=cybernet
dc=az
Subject Name:
cn=fw01.cybernet.az
hostname=fw01.cybernet.az
CRYPTO_PKI: certificate contains 9 extensions.
CRL Distribution Points:
[1] ldap:///CN=adca(1),CN=adca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=cybernet,DC=az?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 13:00:01 AZST Dec 15 2016
end date: 13:00:01 AZST Dec 15 2018
Associated Trustpoints: iden
CRYPTO_PKI: certificate contains extension OID:
55 1d 0f
CRYPTO_PKI: certificate contains extension OID:
55 1d CA Certificate
Status: Available
Certificate Serial Number: 1588ea9a374b0d92464081e34ec7b0ed
Certificate Usage: Signature
11
CRYPTO_PKI: certificate contains extension OID: Public Key Type: RSA (2048 bits)
<--- More --->
55 1d 0e
CRYPTO_PKI: certificate contains extension OID:
55 1d 23
CRYPTO_PKI: certificate contains extension OID:
55 1d 1f
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 05 05 07 01 01
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 04 01 82 37 15 07
CRYPTO_PKI: certificate contains extension OID:
55 1d 25
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 04 01 82 37 15 0a
CRYPTO_PKI: certificate contains 9 extensions.
CRYPTO_PKI: certificate contains extension OID:
55 1d 0f
CRYPTO_PKI: certificate contains extension OID:
55 1d 11
CRYPTO_PKI: certificate contains extension OID:
55 1d 0e
CRYPTO_PKI: certificate contains extension OID:
55 1d 23
CRYPTO_PKI: certificate contains extension OID:
55 1d 1f
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 05 05 07 01 01
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 04 01 82 37 15 07
CRYPTO_PKI: certificate contains extension OID:
55 1d 25
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 04 01 82 37 15 0a
CRYPTO_PKI: status = 0: failed to get extension from cert
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=adca
dc=cybernet
dc=az
Subject Name:
cn=adca
dc=cybernet
dc=az
Validity Date:
start date: 16:33:40 AZST Dec 2 2016
end date: 16:45:19 AZST Dec 2 2026
Associated Trustpoints: iden ssl_ca
fw01(config)#
CRYPTO_PKI: certificate contains 5 extensions.
CRYPTO_PKI: certificate contains extension OID:
55 1d 0f
CRYPTO_PKI: certificate contains extension OID:
55 1d 13
CRYPTO_PKI: certificate contains extension OID:
55 1d 0e
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 04 01 82 37 15 01
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 04 01 82 37 15 02
CRYPTO_PKI: certificate contains 5 extensions.
CRYPTO_PKI: certificate contains extension OID:
55 1d 0f
CRYPTO_PKI: certificate contains extension OID:
55 1d 13
CRYPTO_PKI: certificate contains extension OID:
55 1d 0e
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 04 01 82 37 15 01
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 04 01 82 37 15 02
12-16-2016 06:07 AM
First of all the message you are getting when initiating the AnyConnect about the untrusted connection is because you don't have your identity certificate applied on the SSL configuration:
ssl trust-point iden <outside>
If you are using an internal CA you may need to install the identity and CA on the computer that you are using to connect through AnyConnect.
This guide explains how to configure certificate authentication which does not have anything to do with the untrusted pop you get:
https://supportforums.cisco.com/blog/152941/anyconnect-certificate-based-authentication
Hope this info helps!!
Rate if helps you!!
-JP-
12-18-2016 10:34 PM
ok I reenter ssl trust-point outside and after that anyconnect give this error:
no valid certificates available for authentication
what that mean ? I have user and ca certificate.
12-19-2016 12:04 PM
Ok now you are failing the certificate authentication, you can run the following debugs on the ASA:
debug cry ca messages 255
debug cry ca transactions 255
Hope this info helps!!
Rate if helps you!!
-JP-
12-22-2016 05:04 AM
I have debug with that two command but nothing can see on the screen when I try to connect to asa via anyconnect client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide