Solved: Re: Its not fixed...I'm on 9.7.1

#TCN · ‎02-16-2017

Hello Community,

I have an ASA with client-less VPN configured using smart-tunnelling, everything worked great until we changed the signed ID cert to a SHA256 cert.

We can see the new cert within the browser and log into the VPN as normal however we are unable to launch any local smart tunnel enabled apps

when you initiate a remote desktop connection to a server / device - immediately we see an "internal error" on the RDP

There are no hit counts on the web access-lists

Any thoughts on this one?

ASA 5555, code 9.4

Cheers

Jim,

Philip D'Ath · ‎02-16-2017

It says it is fixed in 9.7(1).

View solution in original post

Philip D'Ath · ‎02-16-2017

On the ASA 9.6 release notes I note this open caveat:

CSCva33271

WebVPN smart tunnels fail when ASA identity cert uses SHA256 signature

http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/release/notes/asarn96.html

Philip D'Ath · ‎02-16-2017

It says it is fixed in 9.7(1).

Ken Stieers · ‎03-14-2017

Its not fixed...I'm on 9.7.1 and its still an issue. (I have a ticket open)

Philip, if you have any contacts at Cisco, you might want to poke them.

Most cert authorities aren't issuing SHA1 certs anymore so this is going to be a bigger issue very soon...

CiscoScott · ‎04-19-2018

Agreed this is not fixed. Uploaded replacement certificate last night (as part of the move away from Symantec) and our Smart Tunnel RDP did not work. Same "internal error" message. We had to revert back to our Symantec certs that are rapidly being deprecated by Google, Mozilla, etc. I have a ticket open now as well......

#TCN · ‎02-16-2017

Thanks for this info Philip

Cheers
Jim,

ASA SSL VPN