03-15-2017 02:30 PM
Dear Community,
We recently enabled multi-factor authentication for our Remote Access VPN using both certificate and user credentials. Our VPN users use the Anyconnect client version 4.2.01035 for both Mac and PC. We have deployed the cert to all mobile end user devices in our company (Windows machines and Macs), all are working except for one Mac user that gets the "Certificate Validation Failure" message when trying to connect. We have verified the cert is available in the cert store on the Mac and that the cert is also available on the ASA-5545x. For the life of me I cannot figure out why the ASA is not accepting the cert from this particular users Mac. Here is the contents of the /var/log/system.log file for a particular connection attempt. Ive tried parsing this file but cant figure it out. Any help you can provide would be greatly appreciated. Again its only the one user. Ive omitted some sensitive information as well. Thanks again.
Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: An SSL VPN connection to vpn.company.com has been requested by the user.
Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Function: getProfileNameFromHost File:
../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host vpn.company.com.
Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Function: getHostInitSettings File:
../../vpn/Api/ProfileMgr.cpp Line: 888 Profile () not found. Using default settings.
Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Function: loadProfiles File:
../../vpn/Api/ProfileMgr.cpp Line: 100 No profile is available.
Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Function: getProfileNameFromHost File:
../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host vpn.company.com.
Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Using default preferences. Some settings (e.g.
certificate matching) may not function as expected if a local profile is expected to be used. Verify
that the selected host is in the server list section of the profile and that the profile is
configured on the secure gateway.
Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Function: getProfileNameFromHost File:
../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host vpn.company.com.
Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Function: getHostInitSettings File:
../../vpn/Api/ProfileMgr.cpp Line: 888 Profile () not found. Using default settings.
Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Function: getCertList File:
../../vpn/Api/ApiCert.cpp Line: 339 Number of certificates found: 0
Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Message type information sent to the user:
Contacting vpn.company.com.
Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Initiating VPN connection to the secure gateway
https://vpn.company.com
Mar 15 16:16:22 DUpton-mbp13.local acvpnagent[1555]: Using default preferences. Some settings (e.g.
certificate matching) may not function as expected if a local profile is expected to be used. Verify
that the selected host is in the server list section of the profile and that the profile is
configured on the secure gateway.
Mar 15 16:16:22 DUpton-mbp13.local acvpnagent[1555]: Function: processConnectNotification File:
../../vpn/Agent/MainThread.cpp Line: 12168 Received connect notification (host vpn.company.com,
profile N/A)
Mar 15 16:16:22 DUpton-mbp13.local acvpnagent[1555]: Function: resolveHostName File:
../../vpn/Common/Utility/HostLocator.cpp Line: 718 Invoked Function: CHostLocator::resolveHostNameAlt
Return Code: -29294571 (0xFE410015) Description: DNSREQUEST_ERROR_EMPTY_RESPONSE
Mar 15 16:16:22 DUpton-mbp13.local acvpnagent[1555]: Function: getHostIPAddrByName File:
../../vpn/Common/IPC/SocketSupport.cpp Line: 322 Invoked Function: ::getaddrinfo Return Code: 35
(0x00000023) Description: unknown
Mar 15 16:16:22 DUpton-mbp13.local acvpnagent[1555]: Function: resolveHostName File:
../../vpn/Common/Utility/HostLocator.cpp Line: 730 Invoked Function:
CSocketSupport::getHostIPAddrByName Return Code: -31195124 (0xFE24000C) Description:
SOCKETSUPPORT_ERROR_GETADDRINFO
Mar 15 16:16:22 DUpton-mbp13.local acvpnagent[1555]: Function: ResolveHostname File:
../../vpn/Common/Utility/HostLocator.cpp Line: 839 Invoked Function: CHostLocator::resolveHostName
Return Code: -31195124 (0xFE24000C) Description: SOCKETSUPPORT_ERROR_GETADDRINFO failed to resolve host name vpn.company.com to IPv6 address
Mar 15 16:16:22 DUpton-mbp13.local acvpnagent[1555]: Function: logResolutionResult File:
../../vpn/Common/Utility/HostLocator.cpp Line: 913 Host vpn.company.com has been resolved to IP
address 38.x.x.2
Mar 15 16:16:22 DUpton-mbp13.local acvpnagent[1555]: Writing to hosts file: 38.x.x.2
vpn.company.com ###Cisco AnyConnect VPN client modified this file. Please do not modify contents
until this comment is removed.
Mar 15 16:16:22 DUpton-mbp13.local acvpnagent[1555]: Function: respondToConnectNotification File:
../../vpn/Agent/MainThread.cpp Line: 5210 The requested VPN connection to vpn.company.com will
target the following IP protocols and addresses: primary - IPv4 (address 38.x.x.2), secondary - N/A.
Mar 15 16:16:23 DUpton-mbp13.local acvpnui[1587]: Function: getUserName File:
../../vpn/Api/CTransportCurlStatic.cpp Line: 1982 PasswordEntry username is dupton
Mar 15 16:16:23 DUpton-mbp13.local acvpnui[1587]: Function: PeerCertVerifyCB File:
../../vpn/Api/CTransportCurlStatic.cpp Line: 877 Return success from VerifyServerCertificate
Mar 15 16:16:23 DUpton-mbp13.local acvpnui[1587]: Function: handleRedirects File:
../../vpn/Api/ConnectIfc.cpp Line: 846 Redirecting to: https://vpn.company.com/+webvpn+/index.html
Mar 15 16:16:23 DUpton-mbp13.local acvpnui[1587]: Function: getUserName File:
../../vpn/Api/CTransportCurlStatic.cpp Line: 1982 PasswordEntry username is dupton
Mar 15 16:16:23 DUpton-mbp13.local acvpnui[1587]: Function: PeerCertVerifyCB File:
../../vpn/Api/CTransportCurlStatic.cpp Line: 877 Return success from VerifyServerCertificate
Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: setPromptAttributes File:
../../vpn/Api/ConnectMgr.cpp Line: 3939 The certificate authority is disabled on the secure gateway.
Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Message type error sent to the user: Certificate
Validation Failure
Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: The following error message was received from the secure gateway: Certificate Validation Failure
Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: getPreference File:
../../vpn/Api/PreferenceInfoBase.cpp Line: 269 Invoked Function: getPreference Return Code: 0
(0x00000000) Description: Invalid preference 45
Mar 15 16:16:24 --- last message repeated 2 times ---
Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: isSWEnabled File:
../../vpn/Api/SDIMgr.cpp Line: 1027 Invoked Function: PreferenceMgr::getPreference Return Code: -
30343157 (0xFE31000B) Description: PREFERENCEMGR_ERROR_PREFERENCE_NOT_FOUND
SafeWordSofTokenIntegration
Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: ProcessPromptData File:
../../vpn/Api/SDIMgr.cpp Line: 336 Authentication is not token based (OTP).
Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: getProfileNameFromHost File:
../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host vpn.company.com.
Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: getHostInitSettings File:
../../vpn/Api/ProfileMgr.cpp Line: 888 Profile () not found. Using default settings.
Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: processIfcData File:
../../vpn/Api/ConnectMgr.cpp Line: 3212 Certificate authentication requested from gateway, no valid
certs found in users cert store.
Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Message type warning sent to the user: No valid
certificates available for authentication.
Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Message type prompt sent to the user: Certificate
Validation Failure
Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: connect File:
../../vpn/Api/ConnectMgr.cpp Line: 2059 ConnectMgr::processIfcData failed
Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: initiateConnect File:
../../vpn/Api/ConnectMgr.cpp Line: 1185 Connection failed.
Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: VPN state: Disconnected Network state: Network
Accessible Network control state: Network Access: Available Network type: Undefined
Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: run File: ../../vpn/Api/ConnectMgr.cpp
Line: 677 Invoked Function: ConnectMgr::initiateConnect Return Code: -29622263 (0xFE3C0009)
Description: CONNECTMGR_ERROR_UNEXPECTED
Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: ClosePopup File:
../../vpn/ApiShim/ApiShim.cpp Line: 1995 No popup found of the given ID
03-15-2017 05:14 PM
Hi Craddockc,
Try creating an xml profile with the set up Certificate Store Override:
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html#ID-1430-0000006c
You can also run the following debugs on the ASA while trying to connect from a MAC:
debug cry ca messages 180
debug cry ca transactions 180
Make sure you disable the debugs as soon as you get the info of the connection attempt:
Undebug all
Hope this info helps!!
Rate if helps you!!
-JP-
03-16-2017 07:15 AM
JP,
Thank you for your reply. Im looking at the XML and unfortunately this option is only applicable to Anyconnect on Windows machine, the issue we are experiencing is with a Mac.
-<xs:element name="CertificateStoreOverride" minOccurs="0" type="ns1:simpleBinary" default="false">
-<xs:annotation>
<xs:documentation>This setting allows an administrator to direct AnyConnect to search for certificates in the Windows machine certificate store. This is useful in cases where certificates are located in this store and users do not have administrator privileges on their machine.</xs:documentation>
Are there any other suggestions you might have? Thanks.
03-28-2017 12:14 PM
Please dont be disappointed as this is not t offer a solution to your problem.
I am trying to set up multi-factor authentication for our Remote Access VPN using both certificate and user credentials as you did, and i was wondering if there is any documentation or if you can assist me with this process
I dont have a very strong background in this field.
Thank you for your time
03-28-2017 02:53 PM
Hi Craddockc,
Sorry for the misunderstanding and delay to get back to you, seems like you may have the following issue: CSCul51157.
You can follow the workarounds on the enhancement request or you can create an xml profile and disable the option of “automatic certificate selection”.
Hope this info helps!!
Rate if helps you!!
-JP-
05-03-2017 01:31 PM
Thank you JP I will look into this as well and get back to you guys on this thread.
03-28-2017 03:11 PM
This is an interesting problem. So anything different for the certificate between the failing MAC user and the working one? It looks like the client is not finding the certificate in the MAC keychain. I know of one problem that ASA does not send cert request for sha512 certificate, so if the user certificate was issues with sha512 hash, then it wont be detected by Anyconnect client. This would be good to verify.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy30069
Another point to verify is the private key associated with the certificate has been deleted. IF so, the client certificate is no longer valid for authentication and wont be chosen by the client. Good to check this again.
05-03-2017 01:31 PM
Thank you Rahul i will look into this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide