cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
877
Views
0
Helpful
7
Replies

Cisco Anyconnect Certificate problem

danarjamal
Level 1
Level 1

Hello everyone, 

I am trying to configure SSL VPN on cisco 2851 router, but now when I want to connect to it , it gives (No valid certificates available for authentication).

I do appreciate your replies.

Thanks

7 Replies 7

Hi,
Have you created a trustpoint on the router? generated a CSR, signed the certificate and imported?

Can you upload you configuration please?

First thing first, thank you for your reply dear RJI.

 

yes, I have created a trustpoint, and I am trying to use the self signed certificate. I think I can do it that way, right?

 

 

Current configuration : 4759 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone +03 3
no network-clock-participate wic 1
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
crypto pki trustpoint SSLVPN_CERT
enrollment selfsigned
subject-name CN=fdenofa-SSLVPN.cisco.com
revocation-check crl
rsakeypair SSLVPN_KEYPAIR
!
!
crypto pki certificate chain SSLVPN_CERT
certificate self-signed 02
3082037C 30820264 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
47312130 1F060355 04031318 6664656E 6F66612D 53534C56 504E2E63 6973636F
2E636F6D 31223020 06092A86 4886F70D 01090216 13526F75 7465722E 676F7261
6E6E6574 2E6E6574 301E170D 31383035 30393139 32303537 5A170D32 30303130
31303030 3030305A 30473121 301F0603 55040313 18666465 6E6F6661 2D53534C
56504E2E 63697363 6F2E636F 6D312230 2006092A 864886F7 0D010902 1613526F
75746572 2E676F72 616E6E65 742E6E65 74308201 22300D06 092A8648 86F70D01
01010500 0382010F 00308201 0A028201 0100CD69 6F42AFFD 2D7A6CC1 3F0CEBFA
B75A12B3 5340985C EEAE35FE 9231211B EF5CFAC2 72C91BC2 06E4CC9C 9DCDA3FA
4F67FD9E 5E82A2D2 612206F9 7ACC585C C42D6433 8F181F22 3A83ED76 63E5A90B
07666564 D53E55C3 8DA0ED93 3838C822 2EC85E5D A7DD5CDB 70539D1A FAB6D0D2
CBDCAD6E F01334AE CC50EBB1 65498170 5A33812F 824839A8 815DEA68 530D4FE9
878C8259 A6C67B44 987051E2 B6146BEB 027F355D 95DC0C41 15BD09C4 1203125A
A6360F9A 3C5D3008 EB42ECF1 5D5469A3 979EF272 983E6A05 6A55B1C9 BE716231
505A655B 4916240D A4ABEF61 8C8177EC 708F47FB 9F882A50 50547566 7CF397CE
78C4CE58 549A7CA6 397DEAD1 D350BA44 C0F10203 010001A3 73307130 0F060355
1D130101 FF040530 030101FF 301E0603 551D1104 17301582 13526F75 7465722E
676F7261 6E6E6574 2E6E6574 301F0603 551D2304 18301680 141C7653 EF0211D5
63E89913 F9B602F5 87D6030D 8A301D06 03551D0E 04160414 1C7653EF 0211D563
E89913F9 B602F587 D6030D8A 300D0609 2A864886 F70D0101 04050003 82010100
1C4EFB8E F7DD248E D77C0F24 7EE433AA C7EC6F48 67BF1719 2F3F2AEF D85E9A75
E1C613CE 0F6C49C6 384E9A13 80804C10 1AC8625F C6BC8C63 127E1575 17C12673
34099000 A3DE4F25 5F3D1531 9D022709 B055943F 9DB20864 AEE80636 30B1420D
9CBC575B AE0EE46A 759C8882 45ABA0A7 87DDC267 50B44065 514DAA21 F33FD482
AD945A0F 9AE28051 58349BAC 3260EA62 EB6A5552 C1E77E5D 27CC1CBA 1C469413
0C3B5D23 ECF99C0E 66EC896F 9F42AAE1 70200324 AFF5A0E3 4503DE64 21C521EF
1E0B62DC F8687C14 F75F2B73 23388ABB 083875D2 CA6B76F6 41BBEAC4 CC44BD01
2EE7897C 47953283 E68BDD46 799606CE 2AB28A46 84BD47BD EE99745C CA188BA3
quit
!
!
username danar privilege 15 password 0 danar
username user1 secret 5 $1$coqx$03yIUE/bSzlUKRTdDiPxz0
archive
log config
hidekeys
!
!
!
!
!
controller E1 0/1/0
!
ip tftp min-timeout 20000
!
!
!
!
interface GigabitEthernet0/0
ip address 10.10.10.10 255.255.255.0
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address dhcp
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1
!
ip local pool IP_Pool 192.168.1.10 192.168.1.15
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http path flash:gui
!
!
!
!
ixi transport http
response size 4
no shutdown
request outstanding 1
!
!
!
!
!
tftp-server system:cme
!
control-plane
!
!
!
!
!
!
!
!
!
!
telephony-service
ip source-address 95.x.x.x port 2000
max-conferences 8 gain -6
web admin system name Admin password cisco
dn-webedit
transfer-system full-consult
create cnf-files version-stamp Jan 01 2002 00:00:00
!
!
ephone-template 1
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
transport input none
!
scheduler allocate 20000 1000
!
webvpn gateway gateway_1
ip address 95.x.x.x port 443
http-redirect port 80
ssl trustpoint SSLVPN_CERT
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-4.4.03034-webdeploy-k9.pkg sequence 1
!
webvpn context Test
secondary-color white
title-color #FF9900
text-color black
ssl authenticate verify all
!
!
policy group policy_1
functions svc-enabled
svc address-pool "IP_Pool"
svc default-domain "cisco.com"
svc keep-client-installed
svc split include 10.10.10.0 255.255.255.0
svc dns-server primary 10.10.10.10
virtual-template 1
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
inservice
!
end

Hi,
At first glance the configuration looks ok. Does the client computer trust the certificate in use by the router?

When I previously setup SSL-VPN on a router I used a certificate issued by a Windows CA, the computers had the Windows Root CA so therefore trusted the certificate. This worked fine

I have installed the certificate into the Trusted Root CA, and it should trust it now.

Can you show me the output of show crypto pki certificates please?

 

I don't have a lab setup to test right now, but I'd suggest modifying the certificate trustpoint, to ensure the client doesn't get an certificate errors. So make sure the subject name defined in the trustpoint is the same fqdn your client uses to connect to the VPN. You'll have to regenerate the certificate.

 

crypto pki trustpoint SSLVPN_CERT
subject-name CN=REALFQDN
revocation-check none

 Status: Available
Certificate Serial Number (hex): 05
Certificate Usage: General Purpose
Issuer:
hostname=Router.gorannet.net
cn=danarrouter.gorannet.net
Subject:
Name: Router.xxxxx.net
hostname=Danarrouter.xxxxx.net
cn=danarrouter.xxxxx.net
Validity Date:
start date: 09:18:23 +03 May 10 2018
end date: 03:00:00 +03 Jan 1 2020
Associated Trustpoints: SSLVPN_CERT

 

 

This is the output dear RJI,

and I did that, still the same error.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: