04-17-2020 06:50 AM
Hello everybody,
I configured remote vpn with ldaps authentification on the FTD device. If I try to connect with anyconnect, than I take the error:
PKI[8]: val status=1: cert subject: /CN=dc Root CA - 1. ctx->error: (0)ok, cert_idx: 2
PKI[8]: val status=1: cert subject: /DC=local/DC=dc/CN=dc Sub CA - 1. ctx->error: (0)ok, cert_idx: 1
PKI[8]: val status=1: cert subject: /DC=local/DC=dc/OU=Domain Controllers/CN=SRV. ctx->error: (0)ok, cert_idx: 0
...
PKI[9]: Evaluating policy ftd-rz-ha_20200414-1 for conn type 0x400
PKI[9]: pki_is_policy_match: policy ftd-rz-ha_20200414-1 rejected. No matching fingerprint in chain
...
PKI[7]: Selected policy ftd-rz-ha_2020041501 for session 0x00105a5b
PKI[7]: CRYPTO_PKI:check_key_usage: Checking KU for case VPN peer certs.
PKI[7]: CRYPTO_PKI:check_key_usage: KU bit digitalSignature is ON.
PKI[7]: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2, NOT acceptable for usage type AAA Server
PKI[7]: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.1 acceptable for usage type: AAA Server
PKI[7]: check_key_usage:Key Usage check OK
PKI[8]: Close session 0x00105a5b asynchronously
PKI[9]: Async unlocked for session 0x00105a5b
PKI[8]: process msg cmd=1, session=0x00105a5b
PKI[9]: Async locked for session 0x00105a5b
PKI[9]: Async unlocked for session 0x00105a5b
PKI[9]: CERT API thread sleeps!
[5] Connect to LDAP server: ldaps://172.25.5.31:636, status = Failed
[5] Unable to read rootDSE. Can't contact LDAP server.
Please tell me what could be the reason?
Regards,
04-17-2020 07:22 AM
Follow the steps given in the below thread to import the LDAP CA cert on to FTD.
04-17-2020 07:42 AM
Hi Raul,
thank for your answer.
I did it. The FTD has a identity certificate from root ca. I installed root ca and root sub ca too.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide