I will see if I can get permission to post the logs. Please be in touch. I should have an answer tomorrow or Wednesday. Thank you.

-Allen

We keep getting Certificate Validation Failure.

What type of certs do you we need to use for AnyConnect and the ASA for this to work.

Do you we need CA certs Identity Certs or other types. We are also getting the error TrustPoint not validated as well.

Thank you. I look forward to hearing from you. You help is greatly appreciated. Check LinkedIn as well.

Since Anyconnect uses SSL/TLS, you would need to have an SSL identity certificate issued to the ASA at the very least. This is usually obtained from a trusted Certificate Authority (CA) and issued to the public Fully Qualified Domain Name (FQDN) of the ASA. If you want, you can authenticate the client using a certificate. For this, the client would need an identity certificate, which is usually obtained from an internal CA (Microsoft PKI environment). The ASA should trust the CA that has issued the client certificate.

If you are getting Certificate validation error, it could point to the client certificate not being trusted by the ASA. Are you using client certificate authentication on the ASA?

How do check to make sure the ASA is using client certificate authentication on the ASA ?

Thank you.

-Allen

its currently set to "aaa certificate"

We are looking into this now. I am awaiting my colleague assistance and hopefully He (Mark) will be reaching out to you shortly. I am very confident with your assistance and expertise we can finally get this figured out.

Hello Rahul,

Are you currently available ? We may a few questions .

Thanks.

We may also send a short config for AnyConnect Issues as well. thanks.

-Allen

Hello Rahul,

 We uploaded the relevant parts of the config for the ASA 5510 and the errors from the firewall log. Can you please let us know what we need to fix in order to get AnyConnect working properly. Thank you and have a great day.

Respectfully,

Allen

Your tunnel-group webteam is set to authenticate the client with a certificate.

tunnel-group webteam webvpn-attributes
 authentication certificate

The ASA complains that it does not trust the certificate of the client

%ASA-3-717027: Certificate chain failed validation. No suitable trustpoint was found to validate chain.

You need to install the "DigiCert SHA2 Assured ID CA" certificate as a CA certificate in a different trustpoint on the ASA. This CA certificate can be found on digicert website.

Also, we can't use ASDM so we have do everything via CLI. So if you can tell me how check via command line on the ASA to ensure we are configured to use client certification authentication that would be great. Much appreciated.