11-08-2024 01:12 PM - edited 11-08-2024 01:21 PM
Hi, I have recently upgraded my ASA to version 9.20.3.4
We use certificates to authenticate clients, and on client computers, we use an application called "Net iD Client."
Users with an older version of "Net iD Client" kept getting a "certificate validation failure" error message.
Other users who have a newer "Net iD Client" version were able to connect with Cisco Secure Client without any issues.
It has worked fine when we used the older ASA version 9.18.4.
Unfortunately, I can't pinpoint what might be causing the problem.
Any advice on how can I troubleshoot the problem? What are the possible config changes should I do on the ASA?
The ssl cipher, is left on default with both ASA versions.
11-08-2024 09:50 PM
@Ab26 wrote:Hi, I have recently upgraded my ASA to version 9.20.3.4
We use certificates to authenticate clients, and on client computers, we use an application called "Net iD Client."
Users with an older version of "Net iD Client" kept getting a "certificate validation failure" error message.
Other users who have a newer "Net iD Client" version were able to connect with Cisco Secure Client without any issues.It has worked fine when we used the older ASA version 9.18.4.
Unfortunately, I can't pinpoint what might be causing the problem.
Any advice on how can I troubleshoot the problem? What are the possible config changes should I do on the ASA?
The ssl cipher, is left on default with both ASA versions.
Hello, To troubleshoot the "certificate validation failure" issue after upgrading to ASA 9.20.3.4:
Verify Certificates: Ensure the correct root and intermediate CA certificates are installed on both the ASA and client machines, and that the client trusts these certificates.
Check Cipher Suites: Review the ASA's SSL cipher settings (show run ssl). Ensure compatibility with older Net iD Client versions by allowing legacy ciphers if necessary.
Review Logs: Check ASA logs for SSL/TLS errors (show log) and any issues with certificate validation or handshakes.
Test with TLS Versions: Ensure the ASA supports the same SSL/TLS versions as the older Net iD Client. You may need to enable older TLS versions (like TLS 1.0/1.1) temporarily.
Net iD Client Logs: Check logs on the client for more details on why certificate validation fails.
Hope this helps!
Best regards,
LiteBlue
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide