cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1338
Views
11
Helpful
3
Replies

ASA-x IOS 9.4.1 - Anyconnect - Windows 8.1 "Untrusted VPN Server Blocked"

kurgen727
Level 1
Level 1

Successful upgrade from 9.3.1 to 9.4.1 on our test ASA-X VPN box.  

 

Anyconnect 3.1.05182 clients still connecting flawlessly for all operating systems (xp, win7, Mac), but Windows Surface Pro 3's (Windows 8.1) clients now get "Untrusted VPN Server Blocked", changing settings to allow access for untrusted still allows connectivity. 

 

Web Browsers on same workstations are still able to get to same SSL VPN web page and Cert Chain is valid, no errors.  Only Anyconnect Client seems to have an issue with the Certificate.  

 

Anyone had similar issues?  I've openned a TAC case.  Thank you.

1 Accepted Solution

Accepted Solutions

Abaji Rawool
Level 3
Level 3

Hi,

When the client sends an SSL hello packets, an elliptic curve-capable SSL negotiation is used in version 9.4, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint.  That's why the ASA is presenting the self-signed Cert "Self-signed (EC 256 bits ecdsa-with-SHA256)".

So To avoid this, we need  to remove the corresponding cipher suites using the ssl cipher command.
we can execute the following command so that only RSA based ciphers are negotiated (

ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"

HTH

Abaji.

View solution in original post

3 Replies 3

Abaji Rawool
Level 3
Level 3

Hi,

When the client sends an SSL hello packets, an elliptic curve-capable SSL negotiation is used in version 9.4, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint.  That's why the ASA is presenting the self-signed Cert "Self-signed (EC 256 bits ecdsa-with-SHA256)".

So To avoid this, we need  to remove the corresponding cipher suites using the ssl cipher command.
we can execute the following command so that only RSA based ciphers are negotiated (

ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"

HTH

Abaji.

Confirmed.  Surface Pro 3's (windows 8.1) all now connect with Anyconnect and no "Untrusted VPN Server Blocked".  Thank you for your assistance!

The instructions are noted in the 9.4 release notes - right at the top under "Important notes". :)