Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
280
Views
1
Helpful
1
Replies

ASA version 9.20.3.4 and Net iD Client

Ab26
Level 1
Level 1

‎11-08-2024 01:12 PM - edited ‎11-08-2024 01:21 PM

Hi, I have recently upgraded my ASA to version 9.20.3.4
We use certificates to authenticate clients, and on client computers, we use an application called "Net iD Client."
Users with an older version of "Net iD Client" kept getting a "certificate validation failure" error message.
Other users who have a newer "Net iD Client" version were able to connect with Cisco Secure Client without any issues.

It has worked fine when we used the older ASA version 9.18.4. 
Unfortunately, I can't pinpoint what might be causing the problem.
Any advice on how can I troubleshoot the problem? What are the possible config changes should I do on the ASA? 
The ssl cipher, is left on default with both ASA versions.

Labels:
0 Helpful
1 Reply 1

diana45peters
Level 1
Level 1

‎11-08-2024 09:50 PM

@Ab26 wrote:

Hi, I have recently upgraded my ASA to version 9.20.3.4
We use certificates to authenticate clients, and on client computers, we use an application called "Net iD Client."
Users with an older version of "Net iD Client" kept getting a "certificate validation failure" error message.
Other users who have a newer "Net iD Client" version were able to connect with Cisco Secure Client without any issues.

It has worked fine when we used the older ASA version 9.18.4. 
Unfortunately, I can't pinpoint what might be causing the problem.
Any advice on how can I troubleshoot the problem? What are the possible config changes should I do on the ASA? 
The ssl cipher, is left on default with both ASA versions.

Hello, To troubleshoot the "certificate validation failure" issue after upgrading to ASA 9.20.3.4:

  1. Verify Certificates: Ensure the correct root and intermediate CA certificates are installed on both the ASA and client machines, and that the client trusts these certificates.

  2. Check Cipher Suites: Review the ASA's SSL cipher settings (show run ssl). Ensure compatibility with older Net iD Client versions by allowing legacy ciphers if necessary.

  3. Review Logs: Check ASA logs for SSL/TLS errors (show log) and any issues with certificate validation or handshakes.

  4. Test with TLS Versions: Ensure the ASA supports the same SSL/TLS versions as the older Net iD Client. You may need to enable older TLS versions (like TLS 1.0/1.1) temporarily.

  5. Net iD Client Logs: Check logs on the client for more details on why certificate validation fails.

Hope this helps!
Best regards,
LiteBlue

Customers Also Viewed These Support Documents