Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1219
Views
0
Helpful
1
Replies

Cisco Anyconnect SSL Cert VPN Loop

Go to solution
Yousif Ahmed
Level 1
Level 1

‎05-28-2021 09:08 AM - edited ‎05-28-2021 09:11 AM

3May 28 202112:02:37717009    Certificate validation failed. Peer certificate key usage is invalid, serial number: (HIDDEN), subject name: CN=(HIDDEN).

 

3May 28 202112:02:37717027    Certificate chain failed validation. Certificate chain is either invalid or not authorized.

 

We cannot figure out why these messages are appearing.

We used IPSEC (Offline) MS CA Template.

Made sure Digital Signature was enabled

 

Tried these two commands:

crypto ca trustpoint

ignore-ipsec-keyusage

 

Also, certificate imports sucssesfuly in Anyconnect VPN Client. Than throws the two codes above, its giving it a new cert and throwing the same code over and over (loop)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Yousif Ahmed
Level 1
Level 1

‎06-01-2021 11:16 AM

Well the issue has been resolved. It was fun while it lasted.

 

After going round and round I was convinced this had something to do with the CA certificate..

 

Use IP security IKE intermediate template (offline) duplicate the template.

Resolution:

In the properties of the IP security IKE intermediate template (offline) look for Extensions, make sure Application Policies is highlighted click edit and make sure Client Authenticate, IP security IKE intermediate and Server Authentication is selected. By default only IP security IKE intermediate is selected, adding Client and Server Authentication fixed the issue

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Yousif Ahmed
Level 1
Level 1

‎06-01-2021 11:16 AM

Well the issue has been resolved. It was fun while it lasted.

 

After going round and round I was convinced this had something to do with the CA certificate..

 

Use IP security IKE intermediate template (offline) duplicate the template.

Resolution:

In the properties of the IP security IKE intermediate template (offline) look for Extensions, make sure Application Policies is highlighted click edit and make sure Client Authenticate, IP security IKE intermediate and Server Authentication is selected. By default only IP security IKE intermediate is selected, adding Client and Server Authentication fixed the issue

0 Helpful
Customers Also Viewed These Support Documents