cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1732
Views
1
Helpful
14
Replies

Secure Client Management Tunnel cert issue

gcook0001
Level 1
Level 1

I am trying to setup our RAVPN to use the management tunnel. I followed the directions found here.

Configure SSL AnyConnect Management VPN on FTD - Cisco

When I try to connect I get "No valid certificates available for authentication". I am wondering if it is because we use a wild card certificate. In the article under troubleshooting it does state the following

  • Ensure the CN field is included in the certificate and is the same as the FQDN defined in the Server List of the Management VPN Profile and FQDN defined in URL alias.

Any help would be greatly appreciated.

14 Replies 14

@gcook0001 do the windows computers trust the root certificate used by the FTD and does the FTD trust the machine certificate used by the windows computers?

I think I may have figured out the issue. Just need to figure out what to change. I am using a wild card certificate issued by GoDaddy for our WAN addresses. I just noticed in the logs the computer is trying to use the certificate for our internal domain. Thanks for pointing me in the right direction. I will let you know how I make out.

@gcook0001 add the internal root CA certificates (which issued the certificate to the windows devices) to the FTD to ensure mutual trust.

I am trying to change the certificate and it won't deploy. I checked and I get an error stating ERROR: Trustpoint not enrolled. Please enroll trustpoint and try again. ERROR: Trust-point is not enrolled. Config Error -- ssl trust-point CGC-WILDCARD WAN1-GW

But when I run show crypto ca certificates I get Associated Trustpoints: cgc-wildcard

and show crypto ca trustpoint I get 

Trustpoint CGC-WILDCARD:
Subject Name:
CN=xxx-DC2-CA
DC=xxx
DC=local
Serial Number: -------------------
Certificate configured.

where DC2 is our internal CA.

Does anyone have a guide for setting up ravpn on FTD/FMC with cert only authentication that makes sense? I can't get this to work. 

@gcook0001 the clients will be authenticating using either a user or machine certificate issued from the internal CA. If the FTD has a wildcard public certificate it also needs the internal CA certificate imported.

Example:

Untitled picture.png

So for the Internal root CA import use the Manual CA only enrollment type and paste the internal root CA that issued the certificate to the client devices.

Anyconnect will use the "user" certificate as default, if you have a "machine" certificate then use an anyconnect profile.

 

So now I can connect using certificate only. But what I don't understand now is that when the maintenance tunnel can't connect.

I get the error:

Tunnel group search using certificate maps failed for peer certificate: serial number: xxxxxxxxxxx, subject name: CN=*.ssmic.com, issuer_name: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,…

Both the vpn profile and maintenance profile are the same.

And I do have both - cgc is internal and ssmic is exteranl

gcook0001_0-1689278045060.png

 

@gcook0001 are you matching against the correct certificate in the map?

OK. I am lost now. What do you mean when matching against the correct certificate in the map.

If I change the certificate here to the internal one, I can't connect at all.

gcook0001_0-1689279699805.png

Here it doesn't give me the option to select a certificate

gcook0001_1-1689279784945.png

I don't know where else to look

 

@gcook0001 your previous response mentioned a certificate map.

So how have you configured XML profile for the mgmt tunnel on the devices? The mgmt tunnel needs to use the machine certificate to authenticate, this must be explictly configured in the XML profile.

You can also turn on debugging, use both "webvpn" and "ssl" logging on "debugging" to get full visibility of all certificate authentication errors to assist with determining the problem.

 

 

Salman Mahajan
Cisco Employee
Cisco Employee

Please provide the DART 

 

gcook0001
Level 1
Level 1

I opened a ticket with TAC.