Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
0
Helpful
4
Replies

Cisco Remote VPN : 'Certificate validation Failure' for second URL

munaf shaikh
Level 1
Level 1

‎10-17-2022 12:15 AM - edited ‎10-17-2022 12:18 AM

Background Info :

We have two ASAs in two DCs. On both, we have Remote VPN configured.

For sake of understanding :

  1. vpn1.company.com/trusted points to ASA1 public IP
  2. vpn2.company.com/trusted points to ASA2 public IP

On both ASA's connection profile, we have AAA + certificate , as authentication method. Both ASAs are having same identity and CA certificates.

 

Aside, we also have client profile on both, however there's only one server configured under 'server list'.  The server hostname on both ASA is vpn1.company.com ( Is this a red flag ? do we need to have two servers ? also for server hostname vpn2.company.com)

Working scenario :

Users can login RA VPN on ASA1 using the URL - vpn1.company.com

Users can also login on ASA2 using same URL - vpn1.company.com (After we change DNS pointing of this URL to point to ASA2 public IP)

Non-working scenario :

Users cannot login using URL - vpn2.company.com on either of the ASAs. 

They get error on Anyconnect VPN client - 'Certificate validation Failure'

Anyconnect logs :

10:10:37 Contacting vpn2.company.com/trusted.
10:10:38 No valid certificates available for authentication.
10:11:05 Contacting vpn2.company.com/trusted.
10:11:05 Connection attempt has failed.
10:11:06 No valid certificates available for authentication.

 

0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎10-17-2022 01:02 AM

@munaf shaikh do you have a certificate on ASA2? Is the common name correct (vpn2.company.com)?

From the CLI of the ASA2 run "show crypto ca certificates" to confirm it's got the correct certificate.

In regard to the AnyConnect profile configuration, you should define the server and also define the backup server. So when the primary fails, it should automatically failover to the server defined as the backup.

0 Helpful

munaf shaikh
Level 1
Level 1
In response to Rob Ingram

‎10-17-2022 02:44 AM - edited ‎10-17-2022 02:47 AM

Common name is correct, as we have wildcard Identity certificate (*.company.com). We have same certificate on both ASAs.
And as I mentioned, we do have server defined under client profile on both the ASAs. However only 1 server is defined and hostname of this server is vpn1.company.com on both the ASAs. Not sure if this is the reason for certificate validation fail error when users try to connect to vpn2.company.com



 

0 Helpful

Rob Ingram
VIP
VIP
In response to munaf shaikh

‎10-17-2022 03:09 AM - edited ‎10-17-2022 03:16 AM

@munaf shaikh so is the correct certificate actually in use on ASA2? From the CLI check "ssl trust-point <trustpoint name> <outside interface name> "

 

0 Helpful

munaf shaikh
Level 1
Level 1
In response to Rob Ingram

‎10-17-2022 12:15 PM

@Rob Ingram Yes, correct and the same certificate is being used on both the ASAs. 

0 Helpful
Customers Also Viewed These Support Documents