10-17-2022 12:15 AM - edited 10-17-2022 12:18 AM
Background Info :
We have two ASAs in two DCs. On both, we have Remote VPN configured.
For sake of understanding :
On both ASA's connection profile, we have AAA + certificate , as authentication method. Both ASAs are having same identity and CA certificates.
Aside, we also have client profile on both, however there's only one server configured under 'server list'. The server hostname on both ASA is vpn1.company.com ( Is this a red flag ? do we need to have two servers ? also for server hostname vpn2.company.com)
Working scenario :
Users can login RA VPN on ASA1 using the URL - vpn1.company.com
Users can also login on ASA2 using same URL - vpn1.company.com (After we change DNS pointing of this URL to point to ASA2 public IP)
Non-working scenario :
Users cannot login using URL - vpn2.company.com on either of the ASAs.
They get error on Anyconnect VPN client - 'Certificate validation Failure'
Anyconnect logs :
10:10:37 Contacting vpn2.company.com/trusted.
10:10:38 No valid certificates available for authentication.
10:11:05 Contacting vpn2.company.com/trusted.
10:11:05 Connection attempt has failed.
10:11:06 No valid certificates available for authentication.
10-17-2022 01:02 AM
@munaf shaikh do you have a certificate on ASA2? Is the common name correct (vpn2.company.com)?
From the CLI of the ASA2 run "show crypto ca certificates" to confirm it's got the correct certificate.
In regard to the AnyConnect profile configuration, you should define the server and also define the backup server. So when the primary fails, it should automatically failover to the server defined as the backup.
10-17-2022 02:44 AM - edited 10-17-2022 02:47 AM
Common name is correct, as we have wildcard Identity certificate (*.company.com). We have same certificate on both ASAs.
And as I mentioned, we do have server defined under client profile on both the ASAs. However only 1 server is defined and hostname of this server is vpn1.company.com on both the ASAs. Not sure if this is the reason for certificate validation fail error when users try to connect to vpn2.company.com
10-17-2022 03:09 AM - edited 10-17-2022 03:16 AM
@munaf shaikh so is the correct certificate actually in use on ASA2? From the CLI check "ssl trust-point <trustpoint name> <outside interface name> "
10-17-2022 12:15 PM
@Rob Ingram Yes, correct and the same certificate is being used on both the ASAs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide