Hi All,
I've configured a VPN profile for an Anyconnect VPN connection on my test environment. I've enabled AAA (RSA) and certificate authentication, configured the RSA servers correctly and uploaded the root and issuing certificates. I managed to get this working with machine certificates using a Microsoft PKI. With crypto debugging enabled I can see the CERT API thread wake up and correctly authenticate the certificate. So far so good....
Now I configured the same on our production environment and can't get it to work!! The anyconnect client shows an error: "certificate validation failure"
The strange thing is that the crypto debugging doesn't give me one single line of output. It looks like the certificate doesn't even reach the ASA. My question is, what is stopping the "CERT API thread" I mentioned before from waking up and validating the certificate?? Does someone have an explenation for that?
btw. We have other VPN configurations on the same production/live ASA's with certificate authentication the are working and show up in the debugging.
Thanks in advance for your help
Hardware is ASA5540, software version 8.2(5).
Some pieces of the configuration below:
group-policy VPN4TEST-Policy internal
group-policy VPN4TEST-Policy attributes
wins-server value xx.xx.xx.xx
dns-server value xx.xx.xx.xx
vpn-simultaneous-logins 1
vpn-idle-timeout 60
vpn-filter value VPN4TEST_allow_access
vpn-tunnel-protocol IPSec svc webvpn
group-lock none
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
default-domain value cs.ad.klmcorp.net
vlan 44
nac-settings none
address-pools value VPN4TEST-xxx
webvpn
svc modules value vpngina
svc profiles value KLM-SSL-VPN-VPN4TEST
tunnel-group VPN4TEST-VPN type remote-access
tunnel-group VPN4TEST-VPN general-attributes
address-pool VPN4TEST-xxx
authentication-server-group RSA-7-Authent
default-group-policy VPN4TEST-Policy
tunnel-group VPN4TEST-VPN webvpn-attributes
authentication aaa certificate
group-alias VPN4TEST-ANYCONNECT enable
