Clean Access Server could not establish a secure connection

Unanswered Question
Jun 14th, 2008
User Badges:

I have a OOB Real IP GW setup on v4.1.2

I seem to have a problem with the CAS connecting to the CAM although I have added the CAS to the CAM and can manage the CAS from the CAM.

I noticed while troubleshooting client authentication that the client was not being redirected to the logon web page and it had full access to the trusted network from the untrusted authentication vlan. I eventually figured out that if I change the CAS Filter Fallback method from Allow to ignore then it tries to authenticate the client. However the fact that the fallback is activated tells you that something is not right.

I have 2 problems:

A) The clients web page is redirected for authentication but it only lists the domain name in the URL and not the hostname or host IP. In the lab I do not have a DNS server and it would not help as it does not include the hostname in the URL anyway. How do I fix this or perhaps it's related to the 2nd problem.

B) When I manually change the URL by replacing the domain name with the IP of the CAS (untrusted OOB Real IP GW) then I get the following error message when logging on:

Network Error:

Clean Access Server could not establish a secure connection to Clean Access Manager at

This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.

Please report this to your network administrator.

I would guess the culprit is No 2 but surely the system can run on self signed certificates? I have an NTP server so time is in sync. I have even tried regenerating the cetificates on the CAM

& CAS.

Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
trevora Mon, 06/16/2008 - 10:18
User Badges:

To overcome problem B, I regenerated the SSL Certificates using the host IP address instead of the name for all the CAM & CAS appliances. This seems to have resolved this problem.

I also SSH'd from each of the CAS's to each of the CAM's from the CLI and it then prompts to permanently store the certificates. I'm not sure it this was necessary though.

Faisal Sehbai Mon, 06/16/2008 - 17:52
User Badges:
  • Gold, 750 points or more

How are you doing your certificates on your CAS? Are they issued to the IP of the CAS or the hostname?

trevora Tue, 06/17/2008 - 13:37
User Badges:

Problem A was resolved by upgrading to v4.1.3.1

albert_coll Thu, 09/18/2008 - 22:01
User Badges:

In my case, this message was due to a loss of connectivity between CAM and CAS.

Verify the status of the CAS at the CAM web admin console: Device Management > Clean Access Servers. If the CAS appears as “not connected”, troubleshoot the network path between both servers: cabling, switches, firewalls in between, etc.


This Discussion