Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3036
Views
0
Helpful
4
Replies

ASA 5506-X Anyconnect SSL Certificate not working

Go to solution
aiphix
Level 1
Level 1

‎10-06-2017 06:17 AM - edited ‎03-12-2019 04:36 AM

Installed anyconnect 3.x images on my ASA 5506-X and configured everything as required however my Godaddy cert does not seem to be correctly applying to the VPN or the landing page. I cannot figure it out. Everything seems to be correct but the active cert is still the self signed. The self signed being displayed on the landing page and in use for anyconnect is the default cert installed on the asa for some reason.


BRCS-FW1(config)# show crypto ca certificates
Certificate
  Status: Available
  Certificate Serial Number: 327bbeb62f98eb05
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Signature Algorithm: SHA256 with RSA Encryption
  Issuer Name:
    cn=Go Daddy Secure Certificate Authority - G2
    ou=http://certs.godaddy.com/repository/
    o=GoDaddy.com\, Inc.
    l=Scottsdale
    st=Arizona
    c=US
  Subject Name:
    cn=vpn.certdoesntwork.com
    ou=Domain Control Validated
  OCSP AIA:
    URL: http://ocsp.godaddy.com/
  CRL Distribution Points:
    [1]  http://crl.godaddy.com/gdig2s1-729.crl
  Validity Date:
    start date: 15:59:01 EDT Oct 4 2017
    end   date: 15:59:01 EDT Oct 4 2020
  Associated Trustpoints: ASDM_TrustPoint0

 

BRCS-FW1(config)# show run crypto ca trustpoint
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
fqdn vpn.certdoesntwork.com
subject-name CN=vpn.certdoesntwork.com,OU=IT,O=Cert Doesnt Work,C=US,St=XX,L=Saturn
keypair brcsvpn.key
crl configure

 

BRCS-FW1# sh run all ssl
ssl server-version tlsv1
ssl client-version tlsv1
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl dh-group group2
ssl ecdh-group group19
ssl trust-point ASDM_TrustPoint0 outside
ssl certificate-authentication fca-timeout 2

Labels:
Preview file
28 KB
Preview file
11 KB
Preview file
10 KB
Preview file
13 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
GioGonza
Level 4
Level 4

‎10-06-2017 06:49 AM

Hello @aiphix

 

There 4 reasons why the ASA will send a self-signed certificate: 

 

1. You are actually using one (not your case).

2. You don´t have a certificate applied on the outside. (not your case)

3. A bug.

4. The certificate applied on the outside is not properly configured (maybe your case).

 

Can you share the configuration a picture of the 3 certificates that should be on the ASA (identity, intermidiate and root certificates)?. If you are missing one of them, that´s the reason why it is failing. 

 

HTH

Gio

View solution in original post

0 Helpful

Go to solution
GioGonza
Level 4
Level 4
In response to aiphix

‎10-06-2017 08:09 AM

Hello @aiphix,

 

Yes, you are missing the Go Daddy Root Certificate. You need to have the 3 of them installed on the ASA, if you are missing just one it is not going to work. 

 

Also it doesn´t matter if the trustpoint is not associated since this Root is associated with the Intermidiate and not the Identity, install the Root certificate and test the connection again. It should work

 

HTH

Gio

View solution in original post

0 Helpful
4 Replies 4

Go to solution
GioGonza
Level 4
Level 4

‎10-06-2017 06:49 AM

Hello @aiphix

 

There 4 reasons why the ASA will send a self-signed certificate: 

 

1. You are actually using one (not your case).

2. You don´t have a certificate applied on the outside. (not your case)

3. A bug.

4. The certificate applied on the outside is not properly configured (maybe your case).

 

Can you share the configuration a picture of the 3 certificates that should be on the ASA (identity, intermidiate and root certificates)?. If you are missing one of them, that´s the reason why it is failing. 

 

HTH

Gio

0 Helpful

Go to solution
aiphix
Level 1
Level 1
In response to GioGonza

‎10-06-2017 08:03 AM - edited ‎10-06-2017 08:05 AM

I dont have a root cert installed, only the intermediate. My understanding is that is all i need. I was having issues associating it to the same trustpoint as the identity cert though. Perhaps this is the issue?

 

Preview file
107 KB
Preview file
131 KB
0 Helpful

Go to solution
GioGonza
Level 4
Level 4
In response to aiphix

‎10-06-2017 08:09 AM

Hello @aiphix,

 

Yes, you are missing the Go Daddy Root Certificate. You need to have the 3 of them installed on the ASA, if you are missing just one it is not going to work. 

 

Also it doesn´t matter if the trustpoint is not associated since this Root is associated with the Intermidiate and not the Identity, install the Root certificate and test the connection again. It should work

 

HTH

Gio

0 Helpful

Go to solution
aiphix
Level 1
Level 1
In response to GioGonza

‎10-08-2017 03:06 PM - edited ‎10-08-2017 06:23 PM

EDIT: Downloaded and installed the wrong Godaddy root cert. Installed the correct one and everything is working.

 

Thanks!

0 Helpful
Customers Also Viewed These Support Documents