Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6251
Views
0
Helpful
1
Replies

ASA/ AnyConnect Certificate Validation Failure (but debug says Certificate validated)

ac5nwdude
Level 1
Level 1

‎02-02-2018 12:51 AM - edited ‎03-12-2019 04:59 AM

Hello,

 

i'm trying to set up CiscoAnywhere with ASA and certificates. When i'm trying to connect, CiscoAnywhere aborts with error "Certificate Validation Failure", but the CLI output with "debug crypto ca 255" enabled seems fine to me.

 

Do I oversee anything useful in the output?

 

fw-ext/pri/act# debug crypto ca 255
fw-ext/pri/act# CERT_API: PKI session 0x0a961e13 open Successful with type SSL
CERT_API: Authenticate session 0x0a961e13, non-blocking cb=0x00007f48280e3240
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x0a961e13
CERT_API: Async locked for session 0x0a961e13

CRYPTO_PKI: Checking to see if an identical cert is
already in the database...

CRYPTO_PKI: looking for cert in handle=0x00007f4805690d30, digest=
ff 83 96 19 8d 33 b0 43 aa b3 64 98 96 aa 78 69 | .....3.C..d...xi

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints for connection type SSL
CRYPTO_PKI: Found suitable tp: ASDM_TrustPoint-internal-CA
CRYPTO_PKI: Storage context locked by thread CERT API
CRYPTO_PKI: Found a suitable authenticated trustpoint ASDM_TrustPoint-internal-CA.
CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.1
CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.1, NOT acceptable
CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2
CRYPTO_PKI:check_key_usage:Key Usage check OK

CRYPTO_PKI: Certificate validation: Successful, status: 0
CRYPTO_PKI: bypassing revocation checking based on policy configuration
CRYPTO_PKI:Certificate validated. serial number: 50A765EB000000004FA5, subject name: cn=MYUSER-EXT-PC.ENV.global.

CRYPTO_PKI: Storage context released by thread CERT API

CRYPTO_PKI: Certificate validated without revocation check
CERT_API: calling user callback=0x00007f48280e3240 with status=0(Success)
CERT_API: Close session 0x0a961e13 asynchronously
CERT_API: Async unlocked for session 0x0a961e13
CERT_API: process msg cmd=1, session=0x0a961e13
CERT_API: Async locked for session 0x0a961e13
CERT_API: Async unlocked for session 0x0a961e13
CERT API thread sleeps!

 

 

Thanks in advance for any input!

 

Labels:
0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎02-02-2018 06:41 AM

I would run the DART tool on the client after a failed connection and check the Anyconnect.txt file under Anyconnect Secure Mobility Client folder to see if the client complains of something else.
0 Helpful
Customers Also Viewed These Support Documents