Solved: Changing ID certs on ASA with AnyConnect session impact?

Chris McDaniel · ‎04-16-2014

Hello everyone - I probably should know this answer, however I'm not 100%.

If I change the ID cert (trust point) of the external interface to use a "newer" certificate while there are AnyConnect clients connected, will the sessions be terminated?

I believe the answer is Yes, since the keys will change.

Any and all help is appreciated!

Thanks!

Vishnu Sharma · ‎04-17-2014

Hi,

It will not disconnect users because the main purpose of using cert in first place other than identity is to securely distribute symmetric session key. Once done, the cert work is done.

I did a quick test at my end.

I connected a client to the ASA using certs. Here are the outputs:

ASA-32-25# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5 rc4-sha1
ssl trust-point SSL outside <-- This is the certificate applied on outside interface.
ssl certificate-authentication fca-timeout 2

Now, I connected my client and it successfully got connected:

ASA-32-25(config)# show vpn-ses any

Session Type: AnyConnect

Username : anyconnect Index : 50
Assigned IP : 192.168.10.2 Public IP : x.x.x.x
Protocol : AnyConnect-Parent SSL-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)3DES
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1
Bytes Tx : 11488 Bytes Rx : 1351
Group Policy : GroupPolicy_Test Tunnel Group : Test
Login Time : 12:24:15 EDT Thu Apr 17 2014
Duration : 0h:00m:04s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

I then, removed the certificate from outside interface.

ASA-32-25(config)# no ssl trust-point SSL outside

And when, I checked the status of connected client, I saw that it was still connected:

ASA-32-25(config)# show vpn-ses any

Session Type: AnyConnect

Username : anyconnect Index : 50
Assigned IP : 192.168.10.2 Public IP : x.x.x.x
Protocol : AnyConnect-Parent SSL-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)3DES
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1
Bytes Tx : 11488 Bytes Rx : 1351
Group Policy : GroupPolicy_Test Tunnel Group : Test
Login Time : 12:24:15 EDT Thu Apr 17 2014
Duration : 0h:00m:12s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

So the conclusion is, that the users will not get disconnected if you change the certificate on the outside interface.

Hope this answers your question.

Vishnu

View solution in original post

Vishnu Sharma · ‎04-17-2014

Hi,

It will not disconnect users because the main purpose of using cert in first place other than identity is to securely distribute symmetric session key. Once done, the cert work is done.

I did a quick test at my end.

I connected a client to the ASA using certs. Here are the outputs:

ASA-32-25# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5 rc4-sha1
ssl trust-point SSL outside <-- This is the certificate applied on outside interface.
ssl certificate-authentication fca-timeout 2

Now, I connected my client and it successfully got connected:

ASA-32-25(config)# show vpn-ses any

Session Type: AnyConnect

Username : anyconnect Index : 50
Assigned IP : 192.168.10.2 Public IP : x.x.x.x
Protocol : AnyConnect-Parent SSL-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)3DES
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1
Bytes Tx : 11488 Bytes Rx : 1351
Group Policy : GroupPolicy_Test Tunnel Group : Test
Login Time : 12:24:15 EDT Thu Apr 17 2014
Duration : 0h:00m:04s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

I then, removed the certificate from outside interface.

ASA-32-25(config)# no ssl trust-point SSL outside

And when, I checked the status of connected client, I saw that it was still connected:

ASA-32-25(config)# show vpn-ses any

Session Type: AnyConnect

Username : anyconnect Index : 50
Assigned IP : 192.168.10.2 Public IP : x.x.x.x
Protocol : AnyConnect-Parent SSL-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)3DES
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1
Bytes Tx : 11488 Bytes Rx : 1351
Group Policy : GroupPolicy_Test Tunnel Group : Test
Login Time : 12:24:15 EDT Thu Apr 17 2014
Duration : 0h:00m:12s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

So the conclusion is, that the users will not get disconnected if you change the certificate on the outside interface.

Hope this answers your question.

Vishnu

Chris McDaniel · ‎04-17-2014

Thanks Vishnu! I'll give it a go and let you know!

arnert · ‎10-09-2020

Just to expand on this - I swapped out a expiring certificate today for Anyconnect users on our 5525 (9.13(1)10) using UDP DTLS tunnels and Parent tunnels. --- It appears that the parent tunnels stayed up, but the data tunnel(s) had to be rebuilt. - I got burned on this one thinking the "actual" tunnels would stay up. This is not an apples to apples comparison, but BEWARE!