cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3703
Views
0
Helpful
11
Replies

The certificate on secure gateway is invalid. anyconnect issue

elnurh
Level 1
Level 1

Hi everybody.  I faced a problem which is not standard for me. Some VPN clients on Anyconnect stopped connecting, swearing that the certificate was not correct, while others connect without problems. I installed a self-signed certificate and a certificate signed by RSA on the ASA and did an update of the ASA software, but nothing has changed. Those who are connected are connected and those who have stopped are not connected. The only thing that has changed is that those who could not connect (connected successfully then disconnected with an error about the certificate) changed to the fact that now they connected and after a second interrupted the connection and reconnected, and so on endlessly.
Please help me solve this problem. Thank you in advance.

11 Replies 11

balaji.bandi
Hall of Fame
Hall of Fame

is the certificate valid ? how about NTP ?

what kind of logs you captured on ASA  side ?

what ASA  model and what code running ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

elnurh
Level 1
Level 1

1) How I was writing I tried all types of certificates self-sign and sign with RSA.

2) If NTP was wrong no one can connect via Anyconnect but there are a few laptops that have this issue.

3) trouble laptop connected to VPN gate and  disconnect immediately. That there are no log which show to me error only log on client side show that certificate error

4) Asa model 5525X versiya 9.8.1 and I am update to 9.8.4

 

just want to know what if they (remote client which are not able to connect) can they try to put in the IP address of your ASA in anyconnect and does this work?

if this does work using the IP address of your ASA in that case more likey FQDN issue with cert.

please do not forget to rate.

elnurh
Level 1
Level 1

Doesn't work with IP address too.

if you generated self signed cert and I assume this self signed cert is not generated against your CA server. And does the self signed cert is imported to client laptop/computers?

could you upload the ASA configuration and possible could you attached a dart file from the anyconnect computer which having an issue.

please do not forget to rate.

I configure the self-certificate via the cisco guide. this certificate doesn't import to client laptops or PC.  I never do that because everything works without it.

Could you tell me which part of the config you need to show?  and which dart file?

The client anyconnect who have no issues what anyconnect version they are on?

what is the anyconnect version the non working anyconnect client?

 

The working anyconnect client when they connect to ASA the certificate warning is presented and once they agree to processed they connect to ASA.

 

how this behave with the client not working. they not presented with cert at all? what they see what message they get?

 

could you upload your asa config (all of them) and remove the public ip addresses and username.

for dart here the link is Document - Cisco Security Management Software - Cisco AnyConnect VPN Client: Troubleshooting Using the Diagnostic AnyConnect Reporting Tool (DART) | HPE Support

please do not forget to rate.

elnurh
Level 1
Level 1

The version is the same for the clients who connected via Anyconnect  and is not connected.

But it's interesting that  I have created new certificate and do trust point to outside not working clients which they connect they are not showing a warning with a certificate and when they connect the certificate to install in the trusted folder. But I think he doesn't install it. Later I will download part of config for ssl.

this is part of config for ssl VPN:


: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)

ASA Version 9.8(1)5
!
hostname ASA-1
domain-name asa.loc
names
dns-guard


!
interface GigabitEthernet0/0
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
duplex full
channel-group 2 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
duplex full
channel-group 2 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
channel-group 3 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
channel-group 3 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
no nameif
no security-level
no ip address
!

!

!
interface GigabitEthernet0/7
description LAN/STATE Failover Interface
!
interface Port-channel1
lacp max-bundle 8
no nameif
no security-level
no ip address
!

!
interface Port-channel1.124
vlan 124
nameif COMMONDMZ
security-level 60
ip address 10.5.124.1 255.255.255.0 standby 10.5.124.2

!
interface Port-channel1.777
vlan 777
nameif inside
security-level 100
ip address 10.5.177.10 255.255.255.0 standby 10.5.177.11

interface Port-channel2
lacp max-bundle 8
no nameif
no security-level
no ip address
!

!
interface Port-channel2.2511
vlan 2511
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.224 standby 1.1.1.2

boot system disk0:/asa984-46-smp-k8.bin
boot system disk0:/asa981-5-smp-k8.bin
no ftp mode passive

dns domain-lookup inside

dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.5.124.50
name-server 10.5.124.51
domain-name isb.az
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface


pager lines 24
logging enable
logging timestamp
logging list VpnLoggingList level informational class auth
logging list VpnLoggingList level debugging class ha
logging list VpnLoggingList level debugging class vpn
logging list VpnLoggingList level informational class webvpn
logging list VpnLoggingList level informational class svc
logging list VpnLoggingList level informational class ssl
logging list VpnLoggingList message 737006
logging list VpnLoggingList message 737016
logging list VpnLoggingList message 737026
logging list VpnLoggingList message 722000-722033
logging list VpnLoggingList message 113001-113045
logging list VpnLoggingList message 725001-725017
logging list VpnLoggingList message 716001-716603
logging buffer-size 256000
logging asdm-buffer-size 512
logging buffered debugging
logging trap VpnLoggingList
logging asdm informational
logging device-id hostname
logging host inside 10.5.123.63
logging class vpn trap errors
logging class webvpn trap errors
logging message 722030 level informational
logging message 722031 level informational
logging message 722051 level informational
mtu COMMONDMZ 1500
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface COMMONDMZ
ip verify reverse-path interface inside
ip verify reverse-path interface outside
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/7
failover polltime unit 1 holdtime 3
failover polltime interface 1 holdtime 5
failover key F@1L0V3R!!
failover replication http
failover link FAILOVER GigabitEthernet0/7
failover interface ip FAILOVER 192.168.100.1 255.255.255.248 standby 192.168.100.2
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-781.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384


timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10

user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa local authentication attempts max-fail 3
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 DRsite
no snmp-server location
no snmp-server contact
snmp-server community isb-wizard
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set DR_TSET esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set 3DES esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256-SHA256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec ikev2 ipsec-proposal DEBIAN-IPSEC-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256 sha-1
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal aes-256_esp-sha-hmac
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal esp-aes-sha-goldenpay
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 36000
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASA-1
crl configure
crypto ca trustpoint self
enrollment self
fqdn ASA-1.asa.loc
subject-name CN=ASA-1.asa.loc
keypair sslvpnkeypair
crl configure
crypto ca trustpoint NEW-SSL
keypair NEW-SSL
validation-usage ipsec-client ssl-client ssl-server
crl configure
crypto ca trustpoint NSSL
keypair NEW-SSL
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 6e7efa61
308202f0 308201d8 a0030201 0202046e 7efa6130 0d06092a 864886f7 0d01010b
0500303a 31123010 06035504 03130949 53422d41 53412d31 31243022 06092a86
4886f70d 01090216 15495342 2d415341 2d312e69 73626973 2e6c6f63 616c301e
170d3232 30323032 31333034 32375a17 0d333230 31333131 33303432 375a303a
31123010 06035504 03130949 53422d41 53412d31 31243022 06092a86 4886f70d
01090216 15495342 2d415341 2d312e69 73626973 2e6c6f63 616c3082 0122300d
06092a86 4886f70d 01010105 00038201 0f003082 010a0282 0101009b ae942c49
528025a5 947aced9 ff1ef03f 1bdbfccc 15090c4b 58c3279c 59461aa0 71eb08c3
a82c6faf c5caba71 33a3128f c8d0d53d cda7ca9a a93a9f5e 70f9b0b6 83aa6d0a
a38fa3b2 88cb5453 7f07fa0c 845b58c3 bed9f708 a001e3ff 6522c2aa ffc3cf39
f60587b8 c406556e 3a1f25ed decd5771 40bb6ed8 b650bc3c e3aa50cd 12a3c1e0
2215514b f95b171f 8cfcce10 6890e407 58f89867 d58c9c51 9aefc5da 170c2ed0
52a0d8b3 cd25acf2 276f58e3 6445ee30 c0495512 181e8156 55c77f82 01841d3e
9637f64b 9dc496d8 b5c69ac1 128c4da2 e7228a39 147806c2 ef59d297 29d23856
c7bb5f1c c93eccda bd967d8a 12d91552 16cca602 37a49bca e6b29302 03010001
300d0609 2a864886 f70d0101 0b050003 82010100 36eeb79f 8f740b52 1274b52c
6d2af42f 3ca1c9a4 d98f1507 59a0802c 71020c03 316593bc 856febca b3e254c0
c9d36c0f 924cc223 455b10e5 7970f306 550dcb09 b2080a8c 3256790d 12e77111
d4143da0 ef3f73da 0d5eca9c c45da2c7 ac67854c 63f030eb 118b0e67 f69baff3
72c2e7f9 1dc945bc e5ad5c87 96ba53e5 be5e26a7 7f2db97f 997bd726 de51adba
812d6dff 34a9412b f64c2d60 aebf6459 30479b41 d9afdfb8 47727fca 80b2c6af
e8441733 50a7009e f748e476 c5f4415e 548b9726 57fc5659 05f9d7b5 542fc2f4
351bdbd1 b4f6ec9a a5350f8b cfd45d52 a49243be 1f656167 7e8b9bbe fece379b
e5a1a499 1ee580f3 c131475a 3ccffa56 e2de2ed7
quit
crypto ca certificate chain self
certificate 86f3a062
30820308 308201f0 a0030201 02020486 f3a06230 0d06092a 864886f7 0d01010b
05003046 311e301c 06035504 03131549 53422d41 53412d31 2e697362 69732e6c
6f63616c 31243022 06092a86 4886f70d 01090216 15495342 2d415341 2d312e69
73626973 2e6c6f63 616c301e 170d3233 30323038 30383436 35385a17 0d333330
32303530 38343635 385a3046 311e301c 06035504 03131549 53422d41 53412d31
2e697362 69732e6c 6f63616c 31243022 06092a86 4886f70d 01090216 15495342
2d415341 2d312e69 73626973 2e6c6f63 616c3082 0122300d 06092a86 4886f70d
01010105 00038201 0f003082 010a0282 010100c0 6538c275 2eafcef0 7ec4da0f
7e1c608d f7d702d7 58644f58 45f693ab 1277ea24 5b2d0669 41825b04 7e552ee6
8975bba8 0408968f c27dec02 84cb8e35 d54422f9 70179bd9 84b70070 2688c399
1c868c5a 12d3460f c4109e82 0aa0396e 8307cdd4 7d3f2a36 e8224734 ecbf44d1
df63040b 72f80743 c77a9888 cc103e7a 45f222d2 aa76d8ba c590ce35 23fa8352
5a2d6dd5 30291311 9b6a9594 2daa7ac4 7fde59ff dedc69a4 45ede8e6 67d46e9f
227b4306 8b5235cd a3820463 ea0fc6f9 a7992fed b4fc4984 442b6286 b928214e
5891d5b9 9b7b2182 cf5c8061 84a7eb57 6456baea e3b309f8 1c09e5a9 ac3efe38
ed89a023 27feaeaf f9bde25b 76b6c34e 04f65902 03010001 300d0609 2a864886
f70d0101 0b050003 82010100 5d7b6bb6 610745d7 fc7cc602 d1368153 7b78e775
b53241cd 08787d03 fd4110ea 3e6d5daf e443e5c2 47cbfac7 3b74ab59 21fd6738
96d8a03c 03703860 9a8aec03 41b69eea f58c3094 995921f8 05bbfad6 2f22571c
aa744b64 f1139ab3 27228d07 95b93efd 700d7ac7 9b408046 dc7d1ea1 d90a6b8d
0e915e7a 97ff703a 82e7d334 7c75984d 42314072 46ca4497 f83ab727 3a5fe704
2a8e6778 54dfa9b0 7257432b 42c1538c 4a556bac 669a0022 2c758727 022e18b3
0ffe7140 c7b1ec3e e7f08201 795270c9 518c1208 9bc3fb8e 720a9fb7 a15b4950
d92e8435 f0d6749e c3c07d58 744d12e8 55df4de5 726a1a12 3c67ebae a75211c1
c911dbe9 f00e7323 3dccb479
quit
crypto ca certificate chain NEW-SSL
certificate ca 7d5b5126b476ba11db74160bbc530da7
30820613 308203fb a0030201 0202107d 5b5126b4 76ba11db 74160bbc 530da730
0d06092a 864886f7 0d01010c 05003081 88310b30 09060355 04061302 55533113
30110603 55040813 0a4e6577 204a6572 73657931 14301206 03550407 130b4a65
72736579 20436974 79311e30 1c060355 040a1315 54686520 55534552 54525553
54204e65 74776f72 6b312e30 2c060355 04031325 55534552 54727573 74205253
41204365 72746966 69636174 696f6e20 41757468 6f726974 79301e17 0d313831
31303230 30303030 305a170d 33303132 33313233 35393539 5a30818f 310b3009
06035504 06130247 42311b30 19060355 04081312 47726561 74657220 4d616e63
68657374 65723110 300e0603 55040713 0753616c 666f7264 31183016 06035504
0a130f53 65637469 676f204c 696d6974 65643137 30350603 55040313 2e536563
7469676f 20525341 20446f6d 61696e20 56616c69 64617469 6f6e2053 65637572
65205365 72766572 20434130 82012230 0d06092a 864886f7 0d010101 05000382
010f0030 82010a02 82010100 d67333d6 d73c20d0 00d21745 b8d63e07 a23fc741
ee3230c9 b06cfdf4 9fcb1298 0f2d3f8d 4d010c82 0f177f62 2ee9b848 79fb1683
4eadd732 2593b707 bfb9503f a94cc340 2ae939ff d981ca1f 163241da 8026b923
7a87201e e3ff209a 3c95446f 87750690 40b43293 16091008 233ed2dd 870f6f5d
51146a0a 69c54f01 7269cfd3 934c6d04 a0a31b82 7eb19ab9 edc59ec5 37789f9a
0834fb56 2e58c409 0e06645b bc37dcf1 9f2868a8 56b092a3 5c9fbb88 98081b24
1dab3085 aeafb02e 9e7a9dc1 c0421ce2 02f0eae0 4ad2ef90 0eb4c140 16f06f85
424a64f7 a430a0fe bf2ea327 5a8e8b58 b8adc319 178463ed 6f56fd83 cb6034c4
74bee69d dbe1e4e5 ca0c5f15 02030100 01a38201 6e308201 6a301f06 03551d23
04183016 80145379 bf5aaa2b 4acf5480 e1d89bc0 9df2b203 66cb301d 0603551d
0e041604 148d8c5e c454ad8a e177e99b f99b05e1 b8018d61 e1300e06 03551d0f
0101ff04 04030201 86301206 03551d13 0101ff04 08300601 01ff0201 00301d06
03551d25 04163014 06082b06 01050507 03010608 2b060105 05070302 301b0603
551d2004 14301230 06060455 1d200030 08060667 810c0102 01305006 03551d1f
04493047 3045a043 a041863f 68747470 3a2f2f63 726c2e75 73657274 72757374
2e636f6d 2f555345 52547275 73745253 41436572 74696669 63617469 6f6e4175
74686f72 6974792e 63726c30 7606082b 06010505 07010104 6a306830 3f06082b
06010505 07300286 33687474 703a2f2f 6372742e 75736572 74727573 742e636f
6d2f5553 45525472 75737452 53414164 64547275 73744341 2e637274 30250608
2b060105 05073001 86196874 74703a2f 2f6f6373 702e7573 65727472 7573742e
636f6d30 0d06092a 864886f7 0d01010c 05000382 02010032 bf61bd0e 48c34fc7
ba474df8 9c781901 dc131d80 6ffcc370 b4529a31 339a5752 fb319e6b a4ef54aa
898d4017 68f81110 7cd2cab1 f15586c7 eeb33691 86f63951 bf46bf0f a0bab4f7
7e49c42a 36179ee4 68397aaf 944e566f b27b3bbf 0a86bdcd c5771c03 b838b1a2
1f5f7edb 8adc4648 b6680acf b2b5b4e2 34e467a9 3866095e d2b8fc9d 283a1740
27c2724e 29fd213c 7ccf13fb 962cc531 44fd13ed d59ba969 68777cee e1ffa4f9
36380853 39a28434 9c19f3be 0eacd524 37eb23a8 78d0d3e7 ef924764 623922ef
c6f711be 2285c666 4424268e 10328dc8 93ae079e 833e2fd9 f9f5468e 63bec1e6
b4dca6cd 21a8860a 95d92e85 261afdfc b1b65742 6d95d133 f6391406 824138f5
8f58dc80 5ba4d57d 9578fda7 9bfffdc5 a869ab26 e7a7a405 875ba9b7 b8a3200b
97a94585 ddb38be5 89378e29 0dfc0617 f638400e 42e41206 fb7bf3c6 116862df
e398f413 d8154f8b b169d910 60bc642a ea31b7e4 b5a33a14 9b26e30b 7bfd028e
b699c138 975936f6 a874a286 b65eebc6 64eacfa0 a3f96e9e ba2d11b6 86980858
2dc9ac25 64f25e75 b438c1ae 7f5a4683 ea51cab6 f1991135 6ba56a7b c600b0e7
f8be64b2 adc8c2f1 ace351ea a493e079 c8e18140 c90a5be1 123cc160 2ae397c0
8942ca94 cf469812 69bb98d0 c2d30d72 4b476ee5 93c43228 638743e4 b0323e0a
d34bbf23 9b142941 2b9a041f 932df1c7 39483cad 5a127f
quit
crypto ca certificate chain NSSL
certificate 6f2d7a5262eba636216151b361108634
30820621 30820509 a0030201 0202106f 2d7a5262 eba63621 6151b361 10863430
0d06092a 864886f7 0d01010b 05003081 8f310b30 09060355 04061302 4742311b
30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
03550407 13075361 6c666f72 64311830 16060355 040a130f 53656374 69676f20
4c696d69 74656431 37303506 03550403 132e5365 63746967 6f205253 4120446f
6d61696e 2056616c 69646174 696f6e20 53656375 72652053 65727665 72204341
301e170d 32323132 32363030 30303030 5a170d32 34303132 36323335 3935395a
30133111 300f0603 5504030c 082a2e69 73622e61 7a308201 22300d06 092a8648
86f70d01 01010500 0382010f 00308201 0a028201 0100d9f0 565562d8 cf87e9d3
184493d2 36ab51cc 23a01234 25577efc 5fa55d94 deb68795 814dd458 13bb2305
9b8c402c 22c52fd0 a00a125f 7ef92012 406a646f f9d6eb88 ad528375 22357733
80844357 c6421153 818f7208 78e1c2a8 b973faea 5328fbc7 a5309334 93d76301
84717ffd 3332df79 4f3d1fd2 f1db58c0 7e366ef1 734cd98a 0ded1840 b60fa801
46b3ae55 fc6a8073 ec5b9145 1720249e 848ce2f1 40a83eb5 ddc61bfd 0e220cc9
cc30ad5c 3eb729ad 2574e446 1f427125 1f70adab b6e61b2c 3cf763cb 679bcab4
420e7a5e 9c961d08 b1d74ef5 8f829008 6b0e2532 f7731a4c 72fecac0 5956b2a4
cfcf8dbd 99b1fbe5 8759b269 e77989c4 41dc31c3 a3590203 010001a3 8202f230
8202ee30 1f060355 1d230418 30168014 8d8c5ec4 54ad8ae1 77e99bf9 9b05e1b8
018d61e1 301d0603 551d0e04 160414db ed340c05 5285337b 43498e86 a2cbc190
f6831e30 0e060355 1d0f0101 ff040403 0205a030 0c060355 1d130101 ff040230
00301d06 03551d25 04163014 06082b06 01050507 03010608 2b060105 05070302
30490603 551d2004 42304030 34060b2b 06010401 b2310102 02073025 30230608
2b060105 05070201 16176874 7470733a 2f2f7365 63746967 6f2e636f 6d2f4350
53300806 0667810c 01020130 81840608 2b060105 05070101 04783076 304f0608
2b060105 05073002 86436874 74703a2f 2f637274 2e736563 7469676f 2e636f6d
2f536563 7469676f 52534144 6f6d6169 6e56616c 69646174 696f6e53 65637572
65536572 76657243 412e6372 74302306 082b0601 05050730 01861768 7474703a
2f2f6f63 73702e73 65637469 676f2e63 6f6d301b 0603551d 11041430 1282082a
2e697362 2e617a82 06697362 2e617a30 82017e06 0a2b0601 0401d679 02040204
82016e04 82016a01 68007600 76ff883f 0ab6fb95 51c261cc f587ba34 b4a4cdbb
29dc6842 0a9fe667 4c5a3a74 00000185 4fdbdaa3 00000403 00473045 02207ba8
f4601c9b 4fbbae74 c3a8b7aa 5ac3b999 c21d04f1 ee83779b 77586fc4 ca9a0221
0091d850 90ee2556 6c63a11a c02f0dab cdf58c85 4fdac37e 8b2797c8 861ff505
05007600 dab6bf6b 3fb5b622 9f9bc2bb 5c6be870 91716cbb 51848534 bda43d30
48d7fbab 00000185 4fdbd93e 00000403 00473045 02200ba0 3a7103d8 9863ac64
15242ee7 cb57d720 2054d4e1 64749296 774dfc22 a80b0221 00835827 756567e1
edc2c4a4 4c7ed4d6 111ce1a0 9fe5d49f bbb327bf 6e0cfa8b 4c007600 eecdd064
d5db1ace c55cb79d b4cd13a2 3287467c bcecdec3 51485946 711fb59b 00000185
4fdbd969 00000403 00473045 022100db e016779e 77f92542 f66c53d7 9cf8b717
96d51498 94cf52c5 469b37b7 baca4c02 20313680 15b319cd 77153c5c 87127485
ed8d0608 cd53d07f 2910537b 49d59449 ac300d06 092a8648 86f70d01 010b0500
03820101 00a4979f 5185bc9b 39dfdf14 b4ed28e2 81c21efe 63d171e9 041f5417
8f6dd769 4112e454 ac707fe2 97e84647 b50ac037 8626635b 3c4cc797 b1cf225c
00415304 e91161a5 aed1967b 1f9c201c 6eca8e1f 2ac75936 90fd07b7 4d70a6c1
398f1e26 8e4c0fd6 8ac5891f 6b1e4bac da561c99 653ca7e8 127bc46b 277d0ce8
b0856683 dd924edd 68d03f14 f8e0197d 8607eaa8 386dc855 fd98d5a9 bf874b25
f7266402 e13bf8ca c5efec98 da91710d 84d648d8 38aecb7f de90f686 e02e7528
c9112d9c 7940826b 71123a14 649907ff e50f3ae5 a44ff792 1869941f a40591af
2f87f5bf 74d34542 a86353c1 f16711ff fc78c2d7 cba26383 8da856d2 19918770
268a1fd4 e6
quit
certificate ca 7d5b5126b476ba11db74160bbc530da7
30820613 308203fb a0030201 0202107d 5b5126b4 76ba11db 74160bbc 530da730
0d06092a 864886f7 0d01010c 05003081 88310b30 09060355 04061302 55533113
30110603 55040813 0a4e6577 204a6572 73657931 14301206 03550407 130b4a65
72736579 20436974 79311e30 1c060355 040a1315 54686520 55534552 54525553
54204e65 74776f72 6b312e30 2c060355 04031325 55534552 54727573 74205253
41204365 72746966 69636174 696f6e20 41757468 6f726974 79301e17 0d313831
31303230 30303030 305a170d 33303132 33313233 35393539 5a30818f 310b3009
06035504 06130247 42311b30 19060355 04081312 47726561 74657220 4d616e63
68657374 65723110 300e0603 55040713 0753616c 666f7264 31183016 06035504
0a130f53 65637469 676f204c 696d6974 65643137 30350603 55040313 2e536563
7469676f 20525341 20446f6d 61696e20 56616c69 64617469 6f6e2053 65637572
65205365 72766572 20434130 82012230 0d06092a 864886f7 0d010101 05000382
010f0030 82010a02 82010100 d67333d6 d73c20d0 00d21745 b8d63e07 a23fc741
ee3230c9 b06cfdf4 9fcb1298 0f2d3f8d 4d010c82 0f177f62 2ee9b848 79fb1683
4eadd732 2593b707 bfb9503f a94cc340 2ae939ff d981ca1f 163241da 8026b923
7a87201e e3ff209a 3c95446f 87750690 40b43293 16091008 233ed2dd 870f6f5d
51146a0a 69c54f01 7269cfd3 934c6d04 a0a31b82 7eb19ab9 edc59ec5 37789f9a
0834fb56 2e58c409 0e06645b bc37dcf1 9f2868a8 56b092a3 5c9fbb88 98081b24
1dab3085 aeafb02e 9e7a9dc1 c0421ce2 02f0eae0 4ad2ef90 0eb4c140 16f06f85
424a64f7 a430a0fe bf2ea327 5a8e8b58 b8adc319 178463ed 6f56fd83 cb6034c4
74bee69d dbe1e4e5 ca0c5f15 02030100 01a38201 6e308201 6a301f06 03551d23
04183016 80145379 bf5aaa2b 4acf5480 e1d89bc0 9df2b203 66cb301d 0603551d
0e041604 148d8c5e c454ad8a e177e99b f99b05e1 b8018d61 e1300e06 03551d0f
0101ff04 04030201 86301206 03551d13 0101ff04 08300601 01ff0201 00301d06
03551d25 04163014 06082b06 01050507 03010608 2b060105 05070302 301b0603
551d2004 14301230 06060455 1d200030 08060667 810c0102 01305006 03551d1f
04493047 3045a043 a041863f 68747470 3a2f2f63 726c2e75 73657274 72757374
2e636f6d 2f555345 52547275 73745253 41436572 74696669 63617469 6f6e4175
74686f72 6974792e 63726c30 7606082b 06010505 07010104 6a306830 3f06082b
06010505 07300286 33687474 703a2f2f 6372742e 75736572 74727573 742e636f
6d2f5553 45525472 75737452 53414164 64547275 73744341 2e637274 30250608
2b060105 05073001 86196874 74703a2f 2f6f6373 702e7573 65727472 7573742e
636f6d30 0d06092a 864886f7 0d01010c 05000382 02010032 bf61bd0e 48c34fc7
ba474df8 9c781901 dc131d80 6ffcc370 b4529a31 339a5752 fb319e6b a4ef54aa
898d4017 68f81110 7cd2cab1 f15586c7 eeb33691 86f63951 bf46bf0f a0bab4f7
7e49c42a 36179ee4 68397aaf 944e566f b27b3bbf 0a86bdcd c5771c03 b838b1a2
1f5f7edb 8adc4648 b6680acf b2b5b4e2 34e467a9 3866095e d2b8fc9d 283a1740
27c2724e 29fd213c 7ccf13fb 962cc531 44fd13ed d59ba969 68777cee e1ffa4f9
36380853 39a28434 9c19f3be 0eacd524 37eb23a8 78d0d3e7 ef924764 623922ef
c6f711be 2285c666 4424268e 10328dc8 93ae079e 833e2fd9 f9f5468e 63bec1e6
b4dca6cd 21a8860a 95d92e85 261afdfc b1b65742 6d95d133 f6391406 824138f5
8f58dc80 5ba4d57d 9578fda7 9bfffdc5 a869ab26 e7a7a405 875ba9b7 b8a3200b
97a94585 ddb38be5 89378e29 0dfc0617 f638400e 42e41206 fb7bf3c6 116862df
e398f413 d8154f8b b169d910 60bc642a ea31b7e4 b5a33a14 9b26e30b 7bfd028e
b699c138 975936f6 a874a286 b65eebc6 64eacfa0 a3f96e9e ba2d11b6 86980858
2dc9ac25 64f25e75 b438c1ae 7f5a4683 ea51cab6 f1991135 6ba56a7b c600b0e7
f8be64b2 adc8c2f1 ace351ea a493e079 c8e18140 c90a5be1 123cc160 2ae397c0
8942ca94 cf469812 69bb98d0 c2d30d72 4b476ee5 93c43228 638743e4 b0323e0a
d34bbf23 9b142941 2b9a041f 932df1c7 39483cad 5a127f
quit
crypto isakmp identity address
crypto isakmp disconnect-notify
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 36000
crypto ikev2 policy 2
encryption aes-256
integrity sha256
group 5 2
prf sha256 sha
lifetime seconds 36000
crypto ikev2 policy 3
encryption aes-256
integrity md5
group 2
prf sha
lifetime seconds 36000
crypto ikev2 policy 4
encryption 3des
integrity sha md5
group 5 2
prf sha md5
lifetime seconds 36400
crypto ikev2 policy 5
encryption aes-256
integrity sha md5
group 5 2
prf sha256 sha md5
lifetime seconds 36000
crypto ikev2 policy 6
encryption aes-256
integrity sha
group 5
prf sha256 sha md5
lifetime seconds 28800
crypto ikev2 policy 7
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 8
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 9
encryption aes-256
integrity sha256
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-256
integrity sha256 sha
group 14
prf sha256 sha
lifetime seconds 86400
crypto ikev2 policy 11
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 12
encryption aes-256
integrity sha256
group 5
prf sha256
lifetime seconds 86400

crypto ikev2 remote-access trustpoint self
crypto ikev2 remote-access trustpoint NSSL
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
crypto ikev1 policy 3
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 9
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28000
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 11
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 12
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
crypto ikev1 policy 13
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 3600
telnet timeout 5
no ssh stricthostkeycheck
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.5.123.55
ssl trust-point self outside
webvpn
port 4433
enable outside
no anyconnect-essentials
anyconnect image disk0:/anyconnect-linux-64-4.3.01095-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-4.3.02039-k9.pkg 2
anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 3
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
group-policy Developer-NGP internal
group-policy Developer-NGP attributes
wins-server value 10.5.124.51
dns-server value 10.5.124.50 10.5.124.51
vpn-simultaneous-logins 5
vpn-filter value DEVELOPERFILTER.ACL
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DEVELOPERANYSPLIT.ACL
default-domain value isbis.local
webvpn
anyconnect mtu 1200
anyconnect ssl keepalive 300

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy General-NGP internal
group-policy General-NGP attributes
wins-server value 10.5.124.51
dns-server value 10.5.124.50 10.5.124.51
vpn-simultaneous-logins 5
vpn-filter value GENERALFILTER.ACL
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value GENERALANYSPLIT.ACL
default-domain value isbis.local
webvpn
anyconnect mtu 1200
anyconnect ssl keepalive 300

group-policy SupportTeam-NGP internal
group-policy SupportTeam-NGP attributes
wins-server value 10.5.124.51
dns-server value 10.5.124.50 10.5.124.51
vpn-simultaneous-logins 5
vpn-filter value SUPPORTTEAMFILTER.ACL
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SUPPORTTEAMANYSPLIT.ACL
default-domain value isbis.local
webvpn
anyconnect mtu 1200
anyconnect ssl keepalive 300
group-policy DBAdmin-NGP internal
group-policy DBAdmin-NGP attributes
wins-server value 10.5.124.51
dns-server value 10.5.124.50 10.5.124.51
vpn-simultaneous-logins 5
vpn-filter value DBADMINFILTER.ACL
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DBADMINANYSPLIT.ACL
default-domain value isbis.local
webvpn
anyconnect mtu 1200
anyconnect ssl keepalive 300

group-policy SysAdmin-NGP internal
group-policy SysAdmin-NGP attributes
wins-server value 10.5.124.51
dns-server value 10.5.124.50
vpn-simultaneous-logins 5
vpn-filter none
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SYSADMINANYSPLIT.ACL
default-domain value isbis.local
webvpn
anyconnect mtu 1200
anyconnect ssl keepalive 300

dynamic-access-policy-record DfltAccessPolicy


ikev2 local-authentication pre-shared-key bhWA9zkC2Uo4NyyQzvMnx7zWE04sXIsB

tunnel-group SysAdmin-TG type remote-access
tunnel-group SysAdmin-TG general-attributes
address-pool SysAdminPool
authentication-server-group OTP
default-group-policy SysAdmin-NGP
tunnel-group SysAdmin-TG webvpn-attributes
group-alias SysAdmin enable
tunnel-group DBAdmin-TG type remote-access
tunnel-group DBAdmin-TG general-attributes
address-pool DBAdminPool
authentication-server-group OTP
default-group-policy DBAdmin-NGP

!
class-map Bakcup-transfer-out
match access-list tranfer-backup
class-map sfr
match access-list sfr_redirect
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
inspect snmp
class sfr
sfr fail-open monitor-only
class class-default
set connection decrement-ttl
policy-map BakcupLim
class Bakcup-transfer-out
police output 70000000
police input 70000000
!
service-policy global_policy global
prompt hostname priority state
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f4b99c0dff0d36de4721371a911cd604
: end

 

elnurh
Level 1
Level 1

Thanks to all who try to help me. The issue was solved. The issue was on the client side and was a client-side certificate. The client's certificate not showing the right version. Clear it and open it in another browser That's all.

Glad all is good you were able to identify the issue, can you mark as resolved so that will be useful for other community members who may have the same issue?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: