Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9088
Views
15
Helpful
4
Replies

ASA only uses self-signed certificates after upgrade to 9.4.1

Go to solution
Marquardt.Daniel
Level 1
Level 1

‎04-14-2015 03:15 AM

I ran into a strange issue after upgrading to 9.4.1... (coming from 9.3)

However i access the ASA (Browser, Anyconnect, etc.) it only offers a self-signed certificate even though a proper SSL certificate is installed.

 

I checked:

ssl trust-point VPN_Portal_TP
ssl trust-point VPN_Portal_TP outside
ssl certificate-authentication fca-timeout 5
ssl certificate-authentication interface outside port 443

is configured.

  • CA Certificate is installed, too.
  • Reinstalled all certififcates.
  • Re-assign the Trustpoints

 

Any idea would be greatly appreciated.... thank you!

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-14-2015 06:04 AM

I haven't gotten time to test this out on my lab unit yet but there's a related thread here.

I'm not positive on the standard resolution just yet - it'll bear close watching.

Perhaps the first person to open a TAC case can share the resolution.

View solution in original post

4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-14-2015 06:04 AM

I haven't gotten time to test this out on my lab unit yet but there's a related thread here.

I'm not positive on the standard resolution just yet - it'll bear close watching.

Perhaps the first person to open a TAC case can share the resolution.

Go to solution
Mario Jose Mora Vargas
Level 1
Level 1

‎04-15-2015 04:29 PM

This is properly documented on the release notes of 9.4.1;

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html#51000

 

Regards.

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Mario Jose Mora Vargas

‎04-15-2015 07:48 PM

mmoravar,

Please see the thread I linked to - it contains a user reporting that the documented fix is not working.

0 Helpful

Go to solution
Marquardt.Daniel
Level 1
Level 1
In response to Marvin Rhoads

‎04-16-2015 03:18 AM

Well, to be honest, this feels like a bad design choice - assuming a brand new feature to be a "default" setting so "cipher" overrules it all. 

Most customers / owners of an ASA have paid SSL certificates of a trusted CA in place and running - so many more will run into this potentally.

 

Anyway, using

AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA

as the custom string as mentioned (so excluding all cipher) did the trick.

 

Thanks Marvin for the hint!

 

Customers Also Viewed These Support Documents