Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4588
Views
0
Helpful
2
Replies

Cisco AnyConnect Client (Windows 10) doesn't perform any certificate authentication checks

mark goff
Level 1
Level 1

‎09-26-2017 07:40 AM - edited ‎03-12-2019 04:34 AM

Hi All,

 

I've got a strange problem which i just can't figure out. On our network we have 2 windows domains

An old domain which has a mixture of Win 7 & Win 10 PC's

A newer domain which has just Win 10 PC's

All our PC's have a personal computer certifiacte issued by our Microsoft CA's and the chain of the cert's are all vaid (using the same root-ca) i've confirmed serial numbers of the certs in the chain to be 100% certain of this. Uploaded on my ASA is both my Subordinate-Certs for both domains and the shared root-ca.

 

I use this certifiacte to authenticate devices whilst away from our LAN via the AnyConnect Client. The Windows 10 Pc's on the new doamin and Windows 7 PC's on the old domain work perfectly, I can see in the logs they have selected the correct cert and its been validated ... perfect! However the Windows 10 PC's on the old domain do not work i'm presented with the dreaded generic message "Certificate Validation Failure" even though they all have the same cert chain and root CA present. 

 

In the debug logs (below) i've shown the two flavours that do work, and also the win 10 on the old domain that doesn't.

Now in the logs the Old Domain Win10 PC connects selects a valid cipher and then immediatly disconnects, it performs no certificate checks what so ever.... ? it should pop up with at least something like"checking fo suitable trustpoint for auth" & "no suitable trust point found" but no nothing, i'm totally confused as to why this check isn't taking.

All 3 PC types use the same URL to connect via the client and have the same AnyConnect version (v4.1.04011) although i have updated these PC's to v4.5 but still no change. they all connect to an ASA 5520 on version 917-19.

 

Debug below:

 

Win 7 on old Domain - Sucessfully connects :-)

Sep 26 2017 09:53:58 172.16.44.10 : %ASA-6-302013: Built inbound TCP connection 11479681 for internet:xxxx/20103 (xxxx/20103) to identity:172.16.41.131/443 (172.16.41.131/443)
Sep 26 2017 09:53:58 172.16.44.10 : %ASA-6-725001: Starting SSL handshake with client internet:xxxx/20103 for TLSv1 session.
Sep 26 2017 09:53:58 172.16.44.10 : %ASA-7-725010: Device supports the following 3 cipher(s).
Sep 26 2017 09:53:58 172.16.44.10 : %ASA-7-725011: Cipher[1] : AES256-SHA
Sep 26 2017 09:53:58 172.16.44.10 : %ASA-7-725011: Cipher[2] : DES-CBC3-SHA
Sep 26 2017 09:53:58 172.16.44.10 : %ASA-7-725011: Cipher[3] : RC4-SHA
Sep 26 2017 09:53:58 172.16.44.10 : %ASA-7-725008: SSL client internet:xxxx/20103 proposes the following 10 cipher(s).
Sep 26 2017 09:53:58 172.16.44.10 : %ASA-7-725011: Cipher[1] : DHE-RSA-AES256-SHA
Sep 26 2017 09:53:58 172.16.44.10 : %ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
Sep 26 2017 09:53:58 172.16.44.10 : %ASA-7-725011: Cipher[3] : AES256-SHA
Sep 26 2017 09:53:58 172.16.44.10 : %ASA-7-725011: Cipher[4] : AES128-SHA
Sep 26 2017 09:53:58 172.16.44.10 : %ASA-7-725011: Cipher[5] : DHE-DSS-AES256-SHA
Sep 26 2017 09:53:58 172.16.44.10 : %ASA-7-725011: Cipher[6] : DHE-DSS-AES128-SHA
Sep 26 2017 09:53:58 172.16.44.10 : %ASA-7-725011: Cipher[7] : DES-CBC3-SHA
Sep 26 2017 09:53:58 172.16.44.10 : %ASA-7-725011: Cipher[8] : EDH-DSS-DES-CBC3-SHA
Sep 26 2017 09:53:58 172.16.44.10 : %ASA-7-725011: Cipher[9] : RC4-SHA
Sep 26 2017 09:53:58 172.16.44.10 : %ASA-7-725011: Cipher[10] : RC4-MD5
Sep 26 2017 09:53:58 172.16.44.10 : %ASA-7-725012: Device chooses cipher : AES256-SHA for the SSL session with client internet:xxxx
Sep 26 2017 09:53:59 172.16.44.10 : %ASA-7-717025: Validating certificate chain containing 2 certificate(s).
Sep 26 2017 09:53:59 172.16.44.10 : %ASA-6-717022: Certificate was successfully validated. Certificate is resident and trusted, serial number: 5A0000000E704427A0AA2A7AC600000000000E, subject name: cn=my-cn name,dc=my-domain,dc=me,dc=uk.
Sep 26 2017 09:53:59 172.16.44.10 : %ASA-7-717029: Identified client certificate within certificate chain. serial number: 6C000000AC876E2B55156AC04F0000000000AC, subject name: unknown.
Sep 26 2017 09:53:59 172.16.44.10 : %ASA-7-717030: Found a suitable trustpoint "my-cn" to validate certificate.
Sep 26 2017 09:53:59 172.16.44.10 : %ASA-6-717022: Certificate was successfully validated. serial number: 6C000000AC876E2B55156AC04F0000000000AC, subject name:  unknown.
Sep 26 2017 09:53:59 172.16.44.10 : %ASA-6-717028: Certificate chain was successfully validated with warning, revocation status was not checked.
Sep 26 2017 09:53:59 172.16.44.10 : %ASA-6-725002: Device completed SSL handshake with client internet:xxxx/18603

 

 

Win 10 on New Domain - Also sucessfully connects :-)

Sep 26 2017 12:55:49 172.16.44.10 : %ASA-6-302013: Built inbound TCP connection 11755482 for internet:xxxx/44049 (xxxx/44049) to identity:172.16.41.131/443 (172.16.41.131/443)
Sep 26 2017 12:55:49 172.16.44.10 : %ASA-6-725001: Starting SSL handshake with client internet:xxxx/44049 for TLSv1 session.
Sep 26 2017 12:55:49 172.16.44.10 : %ASA-7-725010: Device supports the following 3 cipher(s).
Sep 26 2017 12:55:49 172.16.44.10 : %ASA-7-725011: Cipher[1] : AES256-SHA
Sep 26 2017 12:55:49 172.16.44.10 : %ASA-7-725011: Cipher[2] : DES-CBC3-SHA
Sep 26 2017 12:55:49 172.16.44.10 : %ASA-7-725011: Cipher[3] : RC4-SHA
Sep 26 2017 12:55:49 172.16.44.10 : %ASA-7-725008: SSL client internet:xxxx/44049 proposes the following 3 cipher(s).
Sep 26 2017 12:55:49 172.16.44.10 : %ASA-7-725011: Cipher[1] : AES256-SHA
Sep 26 2017 12:55:49 172.16.44.10 : %ASA-7-725011: Cipher[2] : AES128-SHA
Sep 26 2017 12:55:49 172.16.44.10 : %ASA-7-725011: Cipher[3] : DES-CBC3-SHA
Sep 26 2017 12:55:49 172.16.44.10 : %ASA-7-725012: Device chooses cipher : AES256-SHA for the SSL session with client internet:xxxx/44049
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-6-302014: Teardown TCP connection 11755482 for internet:xxxx/44049 to identity:172.16.41.131/443 duration 0:00:00 bytes 4268 TCP Reset-I
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-6-302013: Built inbound TCP connection 11755484 for internet:xxxx/25920 (xxxx/25920) to identity:172.16.41.131/443 (172.16.41.131/443)
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-6-725001: Starting SSL handshake with client internet:xxxx/25920 for TLSv1 session.
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-7-725010: Device supports the following 3 cipher(s).
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-7-725011: Cipher[1] : AES256-SHA
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-7-725011: Cipher[2] : DES-CBC3-SHA
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-7-725011: Cipher[3] : RC4-SHA
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-7-725008: SSL client internet:xxxx/25920 proposes the following 3 cipher(s).
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-7-725011: Cipher[1] : AES256-SHA
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-7-725011: Cipher[2] : AES128-SHA
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-7-725011: Cipher[3] : DES-CBC3-SHA
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-7-725012: Device chooses cipher : AES256-SHA for the SSL session with client internet:xxxx/25920
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-7-717025: Validating certificate chain containing 2 certificate(s).
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-7-717030: Found a suitable trustpoint ASDM_TrustPoint0 to validate certificate.
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-6-717022: Certificate was successfully validated. serial number: 5A0000001F36C47C1FA344797000000000001F, subject name:  cn=my-cn,dc="my-new-domain,dc=me,dc=uk.
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-7-717029: Identified client certificate within certificate chain. serial number: 170000000B3C3C99FEE4AF86BA00000000000B, subject name: unknown.
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-7-717030: Found a suitable trustpoint ASDM_TrustPoint0 to validate certificate.
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-6-717022: Certificate was successfully validated. serial number: 170000000B3C3C99FEE4AF86BA00000000000B, subject name:  unknown.
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-6-717028: Certificate chain was successfully validated with warning, revocation status was not checked.
Sep 26 2017 12:55:50 172.16.44.10 : %ASA-6-725002: Device completed SSL handshake with client internet:xxxx/25920

 

 

Win 10 PC on old domain   -   DOES NOT CONNECT :-(

Sep 26 2017 08:54:31 172.16.44.10 : %ASA-6-302013: Built inbound TCP connection 11402487 for internet:xxxx/49622 (xxxx/49622) to identity:172.16.41.131/443 (172.16.41.131/443)
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-6-725001: Starting SSL handshake with client internet:xxxx/49622 for TLSv1 session.
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-7-725010: Device supports the following 3 cipher(s).
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-7-725011: Cipher[1] : AES256-SHA
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-7-725011: Cipher[2] : DES-CBC3-SHA
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-7-725011: Cipher[3] : RC4-SHA
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-7-725008: SSL client internet:xxxx/49622 proposes the following 11 cipher(s).
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-7-725011: Cipher[1] : DHE-RSA-AES256-SHA
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-7-725011: Cipher[2] : DHE-DSS-AES256-SHA
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-7-725011: Cipher[3] : AES256-SHA
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-7-725011: Cipher[4] : DHE-RSA-AES128-SHA
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-7-725011: Cipher[6] : AES128-SHA
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-7-725011: Cipher[7] : RC4-SHA
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-7-725011: Cipher[8] : RC4-MD5
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-7-725011: Cipher[9] : EDH-RSA-DES-CBC3-SHA
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-7-725011: Cipher[10] : EDH-DSS-DES-CBC3-SHA
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-7-725011: Cipher[11] : DES-CBC3-SHA
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-7-725012: Device chooses cipher : AES256-SHA for the SSL session with client internet:xxxx/49622
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-6-725002: Device completed SSL handshake with client internet:xxxx/49622
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-6-725007: SSL session with client internet:xxxx/49622 terminated.
Sep 26 2017 08:54:31 172.16.44.10 : %ASA-6-302014: Teardown TCP connection 11402487 for internet:xxxx/49622 to identity:172.16.41.131/443 duration 0:00:00 bytes 4684 TCP FINs

 

It doesn't even seem to check against any certificate, it looks as though it connects and then straight away disconnects.

 

I'm totally confuesd by it, can anyone help ?

Adam

 

 

 

Labels:
0 Helpful
2 Replies 2

GioGonza
Level 4
Level 4

‎09-26-2017 02:20 PM

Hello @mark goff,

Can you generate a DART file for the working and non-working for a comparison?. Also we should get the following debugs in order to check the negotiation for the certificate:

+ debug crypto ca
+ debug crypto ca transactions
+ debug crypto ca messages

Gio
0 Helpful

Michael.Fusco1
Level 1
Level 1
In response to GioGonza

‎05-02-2018 11:31 AM

Same Issue! any Luck?
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents