Solved: Re: Error when running 'no ca-check' command

mike.capps · ‎11-15-2021

Interesting error I'm receiving while configuring my ASA to use Azure AD MFA. In Cisco's documentation, I run the following:

crypto ca trustpoint AzureAD-AC-SAML
revocation-check none
no id-usage
enrollment terminal
no ca-check

However, after no ca-check, I get the following error:

S1-ASA(config-ca-trustpoint)# no ca-check
^
ERROR: % Invalid input detected at '^' marker.

I know this is a required step, but I can't for the life of me find anything online about it. When I type 'no ?' and view the list of supported options, ca-check isn't one of them. It's almost like my ASA doesn't have that option. Any ideas? Firmware possibly?

ASA Version 9.1(6)

mike.capps · ‎11-15-2021

Well, figured it out. Looks like it's the firmware. Amazingly, we're running 9.1.6 from 2015.

Found that no ca-check was introduced in fimware 9.4.1, based off this website: Cisco ASA New Features by Release - Cisco

Since we're using a very old ASA5540, it would appear that 9.1.6 is the latest firmware. So I guess it's time to replace that thing, fun! Also explains why there's zero documentation online related to the error, I don't think Azure AD MFA was much of a thing back then.

View solution in original post

mike.capps · ‎11-15-2021

Well, figured it out. Looks like it's the firmware. Amazingly, we're running 9.1.6 from 2015.

Found that no ca-check was introduced in fimware 9.4.1, based off this website: Cisco ASA New Features by Release - Cisco

Since we're using a very old ASA5540, it would appear that 9.1.6 is the latest firmware. So I guess it's time to replace that thing, fun! Also explains why there's zero documentation online related to the error, I don't think Azure AD MFA was much of a thing back then.