Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1283
Views
11
Helpful
3
Replies

ASA-x IOS 9.4.1 - Anyconnect - Windows 8.1 "Untrusted VPN Server Blocked"

Go to solution
kurgen727
Level 1
Level 1

‎06-03-2015 02:52 PM - edited ‎02-21-2020 08:15 PM

Successful upgrade from 9.3.1 to 9.4.1 on our test ASA-X VPN box.  

 

Anyconnect 3.1.05182 clients still connecting flawlessly for all operating systems (xp, win7, Mac), but Windows Surface Pro 3's (Windows 8.1) clients now get "Untrusted VPN Server Blocked", changing settings to allow access for untrusted still allows connectivity. 

 

Web Browsers on same workstations are still able to get to same SSL VPN web page and Cert Chain is valid, no errors.  Only Anyconnect Client seems to have an issue with the Certificate.  

 

Anyone had similar issues?  I've openned a TAC case.  Thank you.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Abaji Rawool
Level 3
Level 3

‎06-03-2015 06:05 PM

Hi,

When the client sends an SSL hello packets, an elliptic curve-capable SSL negotiation is used in version 9.4, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint.  That's why the ASA is presenting the self-signed Cert "Self-signed (EC 256 bits ecdsa-with-SHA256)".

So To avoid this, we need  to remove the corresponding cipher suites using the ssl cipher command.
we can execute the following command so that only RSA based ciphers are negotiated (

ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"

HTH

Abaji.

View solution in original post

3 Replies 3

Go to solution
Abaji Rawool
Level 3
Level 3

‎06-03-2015 06:05 PM

Hi,

When the client sends an SSL hello packets, an elliptic curve-capable SSL negotiation is used in version 9.4, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint.  That's why the ASA is presenting the self-signed Cert "Self-signed (EC 256 bits ecdsa-with-SHA256)".

So To avoid this, we need  to remove the corresponding cipher suites using the ssl cipher command.
we can execute the following command so that only RSA based ciphers are negotiated (

ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"

HTH

Abaji.

Go to solution
kurgen727
Level 1
Level 1
In response to Abaji Rawool

‎06-04-2015 05:03 AM

Confirmed.  Surface Pro 3's (windows 8.1) all now connect with Anyconnect and no "Untrusted VPN Server Blocked".  Thank you for your assistance!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to kurgen727

‎06-04-2015 06:42 AM

The instructions are noted in the 9.4 release notes - right at the top under "Important notes". :)

Customers Also Viewed These Support Documents