Re: FTD LDAPs cert subject ctx->error:

Jewgeni Uschegow · ‎04-17-2020

Hello everybody,

I configured remote vpn with ldaps authentification on the FTD device. If I try to connect with anyconnect, than I take the error:

PKI[8]: val status=1: cert subject: /CN=dc Root CA - 1. ctx->error: (0)ok, cert_idx: 2
PKI[8]: val status=1: cert subject: /DC=local/DC=dc/CN=dc Sub CA - 1. ctx->error: (0)ok, cert_idx: 1

PKI[8]: val status=1: cert subject: /DC=local/DC=dc/OU=Domain Controllers/CN=SRV. ctx->error: (0)ok, cert_idx: 0

...

PKI[9]: Evaluating policy ftd-rz-ha_20200414-1 for conn type 0x400
PKI[9]: pki_is_policy_match: policy ftd-rz-ha_20200414-1 rejected. No matching fingerprint in chain

...

PKI[7]: Selected policy ftd-rz-ha_2020041501 for session 0x00105a5b
PKI[7]: CRYPTO_PKI:check_key_usage: Checking KU for case VPN peer certs.
PKI[7]: CRYPTO_PKI:check_key_usage: KU bit digitalSignature is ON.
PKI[7]: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2, NOT acceptable for usage type AAA Server
PKI[7]: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.1 acceptable for usage type: AAA Server
PKI[7]: check_key_usage:Key Usage check OK
PKI[8]: Close session 0x00105a5b asynchronously
PKI[9]: Async unlocked for session 0x00105a5b
PKI[8]: process msg cmd=1, session=0x00105a5b
PKI[9]: Async locked for session 0x00105a5b
PKI[9]: Async unlocked for session 0x00105a5b
PKI[9]: CERT API thread sleeps!
[5] Connect to LDAP server: ldaps://172.25.5.31:636, status = Failed
[5] Unable to read rootDSE. Can't contact LDAP server.

Please tell me what could be the reason?

Regards,

Rahul Govindan · ‎04-17-2020

Follow the steps given in the below thread to import the LDAP CA cert on to FTD.

https://community.cisco.com/t5/vpn/firepower-anyconnect-ldap-ad-authentication-issue/m-p/4049393#M270734

Jewgeni Uschegow · ‎04-17-2020

Hi Raul,

thank for your answer.

I did it. The FTD has a identity certificate from root ca. I installed root ca and root sub ca too.

Regards,