cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5324
Views
5
Helpful
6
Replies

anyconnect with certificate get a error

elnurh
Level 1
Level 1

I have a problem with latest Anyconnect Mobile clients, on any device(iPhone,PC..) I have this error message.

Anyconnect cannot verify the VPN server : fw01.cert.loc

Certificate does not match the server name

Certificate is from an untrusted source

I have win 2012r2  external Ca

in asa installed windows  CA and Identify certificate via SCEP, when try to connect see above error aN anyconnect version 4.3 on client pc install user certificate and CA certificate.

need authentication via certificate only.  WHEN I try to connect to asa 8.4 see error above and after push connect anyway see the username and password windows .

please help

6 Replies 6

JP Miranda Z
Cisco Employee
Cisco Employee

Hi elnurh,

The message you are getting does not have anything to do with certificate authentication but with the SSL certificate check on the ASA, can you share the following configuration:

sh run all ssl

sh cry ca certificates

sh run tunnel-group <> (specify the tunnel you are trying to connect)

Hope this info helps!!

Rate if helps you!! 

-JP-


ssl server-version any
ssl client-version any
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-sha1

tunnel-group anyconn_prof type remote-access
tunnel-group anyconn_prof general-attributes
 address-pool rem_vpn_pool
 default-group-policy anyconn_gp
tunnel-group anyconn_prof webvpn-attributes
 authentication certificate
 group-alias corp enable


Certificate
  Status: Available
  Certificate Serial Number: 1d0000000c44026cb756dc9d1600020000000c
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name:
    cn=adca
    dc=cybernet
    dc=az
  Subject Name:
    cn=fw01.cybernet.az
    hostname=fw01.cybernet.az

CRYPTO_PKI: certificate contains 9 extensions.
  CRL Distribution Points:
    [1]  ldap:///CN=adca(1),CN=adca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=cybernet,DC=az?certificateRevocationList?base?objectClass=cRLDistributionPoint
  Validity Date:
    start date: 13:00:01 AZST Dec 15 2016
    end   date: 13:00:01 AZST Dec 15 2018
  Associated Trustpoints: iden

CRYPTO_PKI: certificate contains extension OID:
55 1d 0f
CRYPTO_PKI: certificate contains extension OID:
55 1d CA Certificate
  Status: Available
  Certificate Serial Number: 1588ea9a374b0d92464081e34ec7b0ed
  Certificate Usage: Signature
11
CRYPTO_PKI: certificate contains extension OID:   Public Key Type: RSA (2048 bits)
<--- More --->
55 1d 0e
CRYPTO_PKI: certificate contains extension OID:
55 1d 23
CRYPTO_PKI: certificate contains extension OID:
55 1d 1f
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 05 05 07 01 01
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 04 01 82 37 15 07
CRYPTO_PKI: certificate contains extension OID:
55 1d 25
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 04 01 82 37 15 0a

CRYPTO_PKI: certificate contains 9 extensions.
CRYPTO_PKI: certificate contains extension OID:
55 1d 0f
CRYPTO_PKI: certificate contains extension OID:
55 1d 11
CRYPTO_PKI: certificate contains extension OID:
55 1d 0e
CRYPTO_PKI: certificate contains extension OID:
55 1d 23
CRYPTO_PKI: certificate contains extension OID:
55 1d 1f
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 05 05 07 01 01
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 04 01 82 37 15 07
CRYPTO_PKI: certificate contains extension OID:
55 1d 25
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 04 01 82 37 15 0a

CRYPTO_PKI: status = 0: failed to get extension from cert
  Signature Algorithm: SHA1 with RSA Encryption
  Issuer Name:
    cn=adca
    dc=cybernet
    dc=az
  Subject Name:
    cn=adca
    dc=cybernet
    dc=az
  Validity Date:
    start date: 16:33:40 AZST Dec 2 2016
    end   date: 16:45:19 AZST Dec 2 2026
  Associated Trustpoints: iden ssl_ca

fw01(config)#
CRYPTO_PKI: certificate contains 5 extensions.
CRYPTO_PKI: certificate contains extension OID:
55 1d 0f
CRYPTO_PKI: certificate contains extension OID:
55 1d 13
CRYPTO_PKI: certificate contains extension OID:
55 1d 0e
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 04 01 82 37 15 01
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 04 01 82 37 15 02

CRYPTO_PKI: certificate contains 5 extensions.
CRYPTO_PKI: certificate contains extension OID:
55 1d 0f
CRYPTO_PKI: certificate contains extension OID:
55 1d 13
CRYPTO_PKI: certificate contains extension OID:
55 1d 0e
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 04 01 82 37 15 01
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 04 01 82 37 15 02

elnurh,

First of all the message you are getting when initiating the AnyConnect about the untrusted connection is because you don't have your identity certificate applied on the SSL configuration:

ssl trust-point iden <outside>

If you are using an internal CA you may need to install the identity and CA on the computer that you are using to connect through AnyConnect.

This guide explains how to configure certificate authentication which does not have anything to do with the untrusted pop you get:

https://supportforums.cisco.com/blog/152941/anyconnect-certificate-based-authentication

Hope this info helps!!

Rate if helps you!! 

-JP-

ok I reenter  ssl trust-point  outside and after that  anyconnect give this error:

no valid certificates available for authentication

what that mean ? I have user and ca certificate.

Ok now you are failing the certificate authentication, you can run the following debugs on the ASA:

debug cry ca messages 255

debug cry ca transactions 255

Hope this info helps!!

Rate if helps you!! 

-JP-

I have debug with that two command but nothing can see on the screen  when I try to connect to asa via anyconnect client.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: