Problem between ASA and IPHONE

Unanswered Question
Oct 1st, 2010

Hello, Im trying to connect Iphone to CUMA with ASA like proxy, and I  having the next error in my ASA.

This is the  escenario.

|IPHONE (Wi-fi)| --inet -- |ASA| -- |CUMA|


"SSL failed to set device certificate for trustpoint asa-iphone. Reason:  No device certificate found."

I installed the certificate in my iphone, and in my tls-proxy i  have the truspoint relationed with my iphone

My guide to configure this was ASA-CUMA Step By Step.


https://supportforums.cisco.com/docs/DOC-8402


I will apreciate if any could help me.


Thnks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joseph Martini Fri, 10/01/2010 - 10:48

Make sure you're using a self signed cert generated by the ASA instead of a 3rd party certificate.

leandro-contino Fri, 10/01/2010 - 10:54

Yes, Im using the cert signed or Maybe I think so..

Im sending my tls-proxy config..

TLS-Proxy 'cuma-proxy': ref_cnt 1, seq# 4
  Server proxy:
    Trust-point: asa-iphone
    Authenticate client: FALSE
  Client proxy:
    Trust-point: asa-self-signed-id-cert
    Local dynamic certificate issuer:
    Local dynamic certificate key-pair:
    Cipher suite:  aes128-sha1 aes256-sha1
  Run-time proxies:
    Proxy 0xc97523e0: Class-map: cuma-proxy, Inspect: mmp
          Active sess 0, most sess 1, byte 0

can you say if it is ok or i have to change anything ?

thnks

Cristian Iconaru Thu, 11/18/2010 - 03:32

Hi,

the problem is that the tls proxy config is pointing to the wrong certificate.

the "asa-iphone" should be the certificate that the ASA presents to the clients.

tls-proxy cuma-proxy
server trust-point asa-iphone
no server authenticate-client
client trust-point asa-self-signed-id-cert
client cipher-suite aes128-sha1 aes256-sha1

Regards

jubetz Fri, 11/19/2010 - 09:13

This error:

"SSL failed to set device certificate for trustpoint asa-iphone. Reason:  No device certificate found."

Means that there is no ID certifcate in the trustpoint named asa-iphone.  So the ASA doesn't have a cert in that trustpoint to provide as its identity in the SSL handshake.

You may have brought the certifcate into the trustpoint using the "crypto ca authenticate ..." command rather then the "crypto ca import identity-certificate"

You must use a verisign or geotrust signed certificate with the CUMA proxy and you must have the entire cert chain installed on the ASA.

HTH,

jb

Cristian Iconaru Mon, 11/22/2010 - 02:42

Hi Justin,

i got also this error:

MMP:: received 538 bytes from outside:IP_OUT/1956 to inside:IP_IN/5443
MMP:: unsupported header
MMP:: error=-1 from outside:IP_OUT/1956 to inside:IP_IN/5443

I saw that one of the MMP inspection actions is: "Verifies that client MMP headers are well-formed. Upon detection of a malformed header, the TCP session is terminated."

do you have any ideas? (browser/config problems?)

Thanks.

Regards

Actions

This Discussion