Solved: Asa certificate not trusted

Casper22 · ‎01-07-2021

Hello Guys,

I was hoping you could help me to understand why one user struggle to connect to our vpn.

I managed to narrow down that it is related to client ISP and proxy configured in browser but I don't understand logic behind that. Not pc problem because if other people connect to this home network they have same issue.

It can take minutes before user connect to our VPN, anyconnect warns abou certificate not trusted. User eventually connects but it takes very long.

Proxy is cloud so can be used outside of our network but in pac file we of course have direct rules for all vpn communication so in fact proxy is not used and it is clear from pcaps that direct access is in all related communication.

Now strange this is that when user has proxy internet is very slow in loading web before getting to our network. From pcap I can see lot of keep alive. I rulled out MTU issue lowering it down to force smaller MSS but it has no effect. Internet works fine if proxy is removed and that is what I don't understand because when proxy is removed user has no issue connect to our vpn. How is that posiible if communion has nothing to do with proxy anyway. I was thinking if it could be ocsp check that could go proxy and somehow caused this because of getting out of ideas but anyway there is no ocsp check in any of pcpaps so I have no idea how to explain why client not trusting certificates. Of course in all pcaps I can see offered certificate is valid in server hello.

Thank you.

Casper22 · ‎01-19-2021

Enentually, It was caused by Dns. We have one dns record in public zone. Name is part of configuration script in proxy and It is there to check whether user is in our network or not tot for different purposes. ISP for whatever reason could not resolve this. All queries keep timing out. That was reason that browsing was slow because it was waiting long for timeouts.. We changed dns to Google and it fixed browsing issue and eventually VPN reporting untrusted certificate.

Lukas

View solution in original post

balaji.bandi · ‎01-08-2021

this is because of Local ISP proxy issue, i can not believe the ISP still need to use proxy settings in browser, (what country and geo location is this)

This need to esclate to Local ISP - since he is going https intercept you get some time this errors.

May be you can requet Local ISP to bypass proxy for your VPN Domain - if they entertain this request, or else user need to shift ISP with out any content filtering ISP.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Casper22 · ‎01-08-2021

Hello, thank you for comment.

To make it clear the proxy is not provider proxy. It is our proxy. It is pac file that we need to use in our corporate network and because it is cloudproxy (Zscaler) it can be used even off our network. But what is important here I will repeat again and is reason why I am puzzled. Pac file has rules that all VPN traffic goes DIRECT means in fact no proxy is used anyway to attempt VPN connection. I can see even in pcap it goes direct not proxy. However, when proxy used in system certificate is not trusted mostly, sometimes connection go through but that takes a time and lot of attempts.

balaji.bandi · ‎01-08-2021

I may be miss understand the in the first place. this required more information how the flows.

if the VPN setup split tunnel shoud work.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Casper22 · ‎01-19-2021

Enentually, It was caused by Dns. We have one dns record in public zone. Name is part of configuration script in proxy and It is there to check whether user is in our network or not tot for different purposes. ISP for whatever reason could not resolve this. All queries keep timing out. That was reason that browsing was slow because it was waiting long for timeouts.. We changed dns to Google and it fixed browsing issue and eventually VPN reporting untrusted certificate.

Lukas