02-16-2017 12:27 AM
Hello Community,
I have an ASA with client-less VPN configured using smart-tunnelling, everything worked great until we changed the signed ID cert to a SHA256 cert.
We can see the new cert within the browser and log into the VPN as normal however we are unable to launch any local smart tunnel enabled apps
when you initiate a remote desktop connection to a server / device - immediately we see an "internal error" on the RDP
There are no hit counts on the web access-lists
Any thoughts on this one?
ASA 5555, code 9.4
Cheers
Jim,
Solved! Go to Solution.
02-16-2017 02:30 AM
It says it is fixed in 9.7(1).
02-16-2017 02:28 AM
On the ASA 9.6 release notes I note this open caveat:
WebVPN smart tunnels fail when ASA identity cert uses SHA256 signature
http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/release/notes/asarn96.html
02-16-2017 02:30 AM
It says it is fixed in 9.7(1).
03-14-2017 01:17 PM
Its not fixed...I'm on 9.7.1 and its still an issue. (I have a ticket open)
Philip, if you have any contacts at Cisco, you might want to poke them.
Most cert authorities aren't issuing SHA1 certs anymore so this is going to be a bigger issue very soon...
04-19-2018 12:07 PM
Agreed this is not fixed. Uploaded replacement certificate last night (as part of the move away from Symantec) and our Smart Tunnel RDP did not work. Same "internal error" message. We had to revert back to our Symantec certs that are rapidly being deprecated by Google, Mozilla, etc. I have a ticket open now as well......
02-16-2017 02:42 AM
Thanks for this info Philip
Cheers
Jim,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide