Certificate Validation Failure

Craddockc · ‎03-15-2017

Dear Community,

We recently enabled multi-factor authentication for our Remote Access VPN using both certificate and user credentials. Our VPN users use the Anyconnect client version 4.2.01035 for both Mac and PC. We have deployed the cert to all mobile end user devices in our company (Windows machines and Macs), all are working except for one Mac user that gets the "Certificate Validation Failure" message when trying to connect. We have verified the cert is available in the cert store on the Mac and that the cert is also available on the ASA-5545x. For the life of me I cannot figure out why the ASA is not accepting the cert from this particular users Mac. Here is the contents of the /var/log/system.log file for a particular connection attempt. Ive tried parsing this file but cant figure it out. Any help you can provide would be greatly appreciated. Again its only the one user. Ive omitted some sensitive information as well. Thanks again.

Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: An SSL VPN connection to vpn.company.com has been requested by the user.

Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Function: getProfileNameFromHost File:

../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host vpn.company.com.

Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Function: getHostInitSettings File:

../../vpn/Api/ProfileMgr.cpp Line: 888 Profile () not found. Using default settings.

Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Function: loadProfiles File:

../../vpn/Api/ProfileMgr.cpp Line: 100 No profile is available.

Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Function: getProfileNameFromHost File:

../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host vpn.company.com.

Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Using default preferences. Some settings (e.g.

certificate matching) may not function as expected if a local profile is expected to be used. Verify

that the selected host is in the server list section of the profile and that the profile is

configured on the secure gateway.

Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Function: getProfileNameFromHost File:

../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host vpn.company.com.

Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Function: getHostInitSettings File:

../../vpn/Api/ProfileMgr.cpp Line: 888 Profile () not found. Using default settings.

Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Function: getCertList File:

../../vpn/Api/ApiCert.cpp Line: 339 Number of certificates found: 0

Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Message type information sent to the user:

Contacting vpn.company.com.

Mar 15 16:16:22 DUpton-mbp13.local acvpnui[1587]: Initiating VPN connection to the secure gateway

https://vpn.company.com

Mar 15 16:16:22 DUpton-mbp13.local acvpnagent[1555]: Using default preferences. Some settings (e.g.

certificate matching) may not function as expected if a local profile is expected to be used. Verify

that the selected host is in the server list section of the profile and that the profile is

configured on the secure gateway.

Mar 15 16:16:22 DUpton-mbp13.local acvpnagent[1555]: Function: processConnectNotification File:

../../vpn/Agent/MainThread.cpp Line: 12168 Received connect notification (host vpn.company.com,

profile N/A)

Mar 15 16:16:22 DUpton-mbp13.local acvpnagent[1555]: Function: resolveHostName File:

../../vpn/Common/Utility/HostLocator.cpp Line: 718 Invoked Function: CHostLocator::resolveHostNameAlt

Return Code: -29294571 (0xFE410015) Description: DNSREQUEST_ERROR_EMPTY_RESPONSE

Mar 15 16:16:22 DUpton-mbp13.local acvpnagent[1555]: Function: getHostIPAddrByName File:

../../vpn/Common/IPC/SocketSupport.cpp Line: 322 Invoked Function: ::getaddrinfo Return Code: 35

(0x00000023) Description: unknown

Mar 15 16:16:22 DUpton-mbp13.local acvpnagent[1555]: Function: resolveHostName File:

../../vpn/Common/Utility/HostLocator.cpp Line: 730 Invoked Function:

CSocketSupport::getHostIPAddrByName Return Code: -31195124 (0xFE24000C) Description:

SOCKETSUPPORT_ERROR_GETADDRINFO

Mar 15 16:16:22 DUpton-mbp13.local acvpnagent[1555]: Function: ResolveHostname File:

../../vpn/Common/Utility/HostLocator.cpp Line: 839 Invoked Function: CHostLocator::resolveHostName

Return Code: -31195124 (0xFE24000C) Description: SOCKETSUPPORT_ERROR_GETADDRINFO failed to resolve host name vpn.company.com to IPv6 address

Mar 15 16:16:22 DUpton-mbp13.local acvpnagent[1555]: Function: logResolutionResult File:

../../vpn/Common/Utility/HostLocator.cpp Line: 913 Host vpn.company.com has been resolved to IP

address 38.x.x.2

Mar 15 16:16:22 DUpton-mbp13.local acvpnagent[1555]: Writing to hosts file: 38.x.x.2

vpn.company.com ###Cisco AnyConnect VPN client modified this file. Please do not modify contents

until this comment is removed.

Mar 15 16:16:22 DUpton-mbp13.local acvpnagent[1555]: Function: respondToConnectNotification File:

../../vpn/Agent/MainThread.cpp Line: 5210 The requested VPN connection to vpn.company.com will

target the following IP protocols and addresses: primary - IPv4 (address 38.x.x.2), secondary - N/A.

Mar 15 16:16:23 DUpton-mbp13.local acvpnui[1587]: Function: getUserName File:

../../vpn/Api/CTransportCurlStatic.cpp Line: 1982 PasswordEntry username is dupton

Mar 15 16:16:23 DUpton-mbp13.local acvpnui[1587]: Function: PeerCertVerifyCB File:

../../vpn/Api/CTransportCurlStatic.cpp Line: 877 Return success from VerifyServerCertificate

Mar 15 16:16:23 DUpton-mbp13.local acvpnui[1587]: Function: handleRedirects File:

../../vpn/Api/ConnectIfc.cpp Line: 846 Redirecting to: https://vpn.company.com/+webvpn+/index.html

Mar 15 16:16:23 DUpton-mbp13.local acvpnui[1587]: Function: getUserName File:

../../vpn/Api/CTransportCurlStatic.cpp Line: 1982 PasswordEntry username is dupton

Mar 15 16:16:23 DUpton-mbp13.local acvpnui[1587]: Function: PeerCertVerifyCB File:

../../vpn/Api/CTransportCurlStatic.cpp Line: 877 Return success from VerifyServerCertificate

Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: setPromptAttributes File:

../../vpn/Api/ConnectMgr.cpp Line: 3939 The certificate authority is disabled on the secure gateway.

Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Message type error sent to the user: Certificate

Validation Failure

Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: The following error message was received from the secure gateway: Certificate Validation Failure

Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: getPreference File:

../../vpn/Api/PreferenceInfoBase.cpp Line: 269 Invoked Function: getPreference Return Code: 0

(0x00000000) Description: Invalid preference 45

Mar 15 16:16:24 --- last message repeated 2 times ---

Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: isSWEnabled File:

../../vpn/Api/SDIMgr.cpp Line: 1027 Invoked Function: PreferenceMgr::getPreference Return Code: -

30343157 (0xFE31000B) Description: PREFERENCEMGR_ERROR_PREFERENCE_NOT_FOUND

SafeWordSofTokenIntegration

Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: ProcessPromptData File:

../../vpn/Api/SDIMgr.cpp Line: 336 Authentication is not token based (OTP).

Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: getProfileNameFromHost File:

../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host vpn.company.com.

Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: getHostInitSettings File:

../../vpn/Api/ProfileMgr.cpp Line: 888 Profile () not found. Using default settings.

Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: processIfcData File:

../../vpn/Api/ConnectMgr.cpp Line: 3212 Certificate authentication requested from gateway, no valid

certs found in users cert store.

Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Message type warning sent to the user: No valid

certificates available for authentication.

Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Message type prompt sent to the user: Certificate

Validation Failure

Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: connect File:

../../vpn/Api/ConnectMgr.cpp Line: 2059 ConnectMgr::processIfcData failed

Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: initiateConnect File:

../../vpn/Api/ConnectMgr.cpp Line: 1185 Connection failed.

Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: VPN state: Disconnected Network state: Network

Accessible Network control state: Network Access: Available Network type: Undefined

Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: run File: ../../vpn/Api/ConnectMgr.cpp

Line: 677 Invoked Function: ConnectMgr::initiateConnect Return Code: -29622263 (0xFE3C0009)

Description: CONNECTMGR_ERROR_UNEXPECTED

Mar 15 16:16:24 DUpton-mbp13.local acvpnui[1587]: Function: ClosePopup File:

../../vpn/ApiShim/ApiShim.cpp Line: 1995 No popup found of the given ID

JP Miranda Z · ‎03-15-2017

Hi Craddockc,

Try creating an xml profile with the set up Certificate Store Override:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html#ID-1430-0000006c

You can also run the following debugs on the ASA while trying to connect from a MAC:

debug cry ca messages 180

debug cry ca transactions 180

Make sure you disable the debugs as soon as you get the info of the connection attempt:

Undebug all

Hope this info helps!!

Rate if helps you!!

-JP-

Craddockc · ‎03-16-2017

JP,

Thank you for your reply. Im looking at the XML and unfortunately this option is only applicable to Anyconnect on Windows machine, the issue we are experiencing is with a Mac.

-<xs:element name="CertificateStoreOverride" minOccurs="0" type="ns1:simpleBinary" default="false">

-<xs:annotation>

<xs:documentation>This setting allows an administrator to direct AnyConnect to search for certificates in the Windows machine certificate store. This is useful in cases where certificates are located in this store and users do not have administrator privileges on their machine.</xs:documentation>

Are there any other suggestions you might have? Thanks.

jerryblack143 · ‎03-28-2017

Craddockc,

Please dont be disappointed as this is not t offer a solution to your problem.

I am trying to set up multi-factor authentication for our Remote Access VPN using both certificate and user credentials as you did, and i was wondering if there is any documentation or if you can assist me with this process

I dont have a very strong background in this field.

Thank you for your time

JP Miranda Z · ‎03-28-2017

Hi Craddockc,

Sorry for the misunderstanding and delay to get back to you, seems like you may have the following issue: CSCul51157.

You can follow the workarounds on the enhancement request or you can create an xml profile and disable the option of “automatic certificate selection”.

Hope this info helps!!

Rate if helps you!!

-JP-

Craddockc · ‎05-03-2017

Thank you JP I will look into this as well and get back to you guys on this thread.

Rahul Govindan · ‎03-28-2017

This is an interesting problem. So anything different for the certificate between the failing MAC user and the working one? It looks like the client is not finding the certificate in the MAC keychain. I know of one problem that ASA does not send cert request for sha512 certificate, so if the user certificate was issues with sha512 hash, then it wont be detected by Anyconnect client. This would be good to verify.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy30069

Another point to verify is the private key associated with the certificate has been deleted. IF so, the client certificate is no longer valid for authentication and wont be chosen by the client. Good to check this again.

Craddockc · ‎05-03-2017

Thank you Rahul i will look into this.