04-14-2015 03:15 AM
I ran into a strange issue after upgrading to 9.4.1... (coming from 9.3)
However i access the ASA (Browser, Anyconnect, etc.) it only offers a self-signed certificate even though a proper SSL certificate is installed.
I checked:
ssl trust-point VPN_Portal_TP
ssl trust-point VPN_Portal_TP outside
ssl certificate-authentication fca-timeout 5
ssl certificate-authentication interface outside port 443
is configured.
Any idea would be greatly appreciated.... thank you!
Solved! Go to Solution.
04-14-2015 06:04 AM
I haven't gotten time to test this out on my lab unit yet but there's a related thread here.
I'm not positive on the standard resolution just yet - it'll bear close watching.
Perhaps the first person to open a TAC case can share the resolution.
04-14-2015 06:04 AM
I haven't gotten time to test this out on my lab unit yet but there's a related thread here.
I'm not positive on the standard resolution just yet - it'll bear close watching.
Perhaps the first person to open a TAC case can share the resolution.
04-15-2015 04:29 PM
This is properly documented on the release notes of 9.4.1;
http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html#51000
Regards.
04-15-2015 07:48 PM
mmoravar,
Please see the thread I linked to - it contains a user reporting that the documented fix is not working.
04-16-2015 03:18 AM
Well, to be honest, this feels like a bad design choice - assuming a brand new feature to be a "default" setting so "cipher" overrules it all.
Most customers / owners of an ASA have paid SSL certificates of a trusted CA in place and running - so many more will run into this potentally.
Anyway, using
AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA
as the custom string as mentioned (so excluding all cipher) did the trick.
Thanks Marvin for the hint!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide