Re: ASA 5510 SSL VPN using Certificate authentication

kamalakannan1k · ‎10-26-2009

Tried configuring SSL VPN using Certificate authentication using a Microsoft CA server. Truspoint created and mapped to SSL VPN. While connecting the SSL VPN getting certificate validation failure.Please find the error screen shot attached

Herbert Baerten · ‎10-26-2009

Get the syslogs + output of "debug crypto ca 10" at the time of a failing authentication attempt, that should give the reason for the failure.

If you need help interpreting the debug output then please post it here along with "show cry ca cert" and a copy of the client cert (just the cert, not the private key).

hth

Herbert

kamalakannan1k · ‎10-27-2009

HiThanks for your reply

I have attached the syslog and show crypto ca cert.There was no debug output for debug crypto ca 10

My question is what certifcate is required for the client to get connected to SSL VPN, you can check the certificate attached.

allen.malanda_2 · ‎05-09-2011

Hello,

I am experiencing the same issue. We have more than 1000 users on Cisco AnyConnect VPN using aaa and certificate for authentication. I get certificate validation failure even after I download a new user certificate in the client machine. I would love to know the solution for this issue.

Thanks,

Herbert Baerten · ‎05-10-2011

@ kamalakannan1k : I'm very sorry, it looks like I never saw your update to this thread (maybe something went wrong with the notification email...). FWIW, it looks like your problem was that you did not import the CA certificate on the ASA.

@allen.malanda : your problem may or may not be the same, I would suggest to check the same command to start with, i.e. "show cry ca cert" should show you both a "Certificate" (the ASA's "server" certificate) as well as the CA certificate (i.e. the certificate of the CA that issued the client certificates).

hth
Herbert