Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7677
Views
0
Helpful
7
Replies

Certificate Enrollment Failed

gufari101
Level 1
Level 1

‎02-01-2017 02:51 AM

Hi guys

I've a profile on my VPN Firewall to enroll my device with my private CA. the Enrollment URL are configured as mentioned below.

enrollment url http://192.168.18.21:80/certsrv/mscep/mscep.dll
scep-forwarding-url value http://192.168.18.21/certsrv/mscep/mscep.dll

I'm using both Anyconnect client 4.3.x and 4.4.x and while connecting to my VPN profile it gives the error logs below.

[Time Stamp] Certificate Enrollment Initiating - Please wait...
[Time Stamp] Certificate Enrollment Failed.

Please find the attached DART output from same workstation.

Regards

Labels:
Preview file
2256 KB
0 Helpful
7 Replies 7

Rahul Govindan
VIP Alumni
VIP Alumni

‎02-01-2017 04:26 AM

Could you attach your ASA config and client xml profile after removing all sensitive information? I am assuming you are using scep proxy so there are 3 things you need to have:

1) scep enrollment enabled on the tunnel-group with aaa+cert auth.

2) scep-forwarding url on the group-policy

3) certificate request parameters on the client xml (not SCEP=URL)

0 Helpful

gufari101
Level 1
Level 1
In response to Rahul Govindan

‎02-01-2017 04:48 AM

Find the requested files

Preview file
3 KB
Preview file
24 KB
0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to gufari101

‎02-01-2017 05:19 AM

Is the profile you provided the right one? It does not seem to have any certificate enrollment parameters. I should a section similar to this in the xml profile:

<CertificateEnrollment>
            <CertificateImportStore>All</CertificateImportStore>
            <CertificateSCEP>
                <Name_CN>%USER%</Name_CN>
                <Department_OU>Technology</Department_OU>
                <Company_O>Company</Company_O>
                <State_ST>TX</State_ST>
                <Country_C>US</Country_C>
                <City_L>Dallas</City_L>
                <KeySize>2048</KeySize>
            </CertificateSCEP>
</CertificateEnrollment>
0 Helpful

gufari101
Level 1
Level 1
In response to Rahul Govindan

‎02-01-2017 06:31 AM

Please find the attached profile which is used to download the certificate.

Preview file
4 KB
0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to gufari101

‎02-01-2017 06:50 AM

Looks like you have some wrong parameters in the profile.

Invalid CertificateEnrollment CertificateExpirationThreshold="365" specified in profile. Value from 0 to 180 expected.

Try chaining the  <CertificateExpirationThreshold>365</CertificateExpirationThreshold> value to 180 and test.

Also, run a "debug crypto ca scep-proxy 255" on ASA when cert enrollment happens.

0 Helpful

gufari101
Level 1
Level 1
In response to Rahul Govindan

‎02-01-2017 08:45 PM

I tried to change and enabled debug also, didn't get any debug logs and still failure to download certificate.

dpfra/sec/act# debug crypto ca scep-proxy 255

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to gufari101

‎02-02-2017 02:33 AM

Did you change it on the ASA or the client? This should be changed on the ASA so that the profile gets updated during connection. If you made the change on the ASA, can you try again and get the DART logs after a failed connection?

0 Helpful
Customers Also Viewed These Support Documents