Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1253
Views
0
Helpful
6
Replies

Problem between ASA and IPHONE

leandro-contino
Level 1
Level 1

‎10-01-2010 07:03 AM - edited ‎03-19-2019 01:40 AM

Hello, Im trying to connect Iphone to CUMA with ASA like proxy, and I  having the next error in my ASA.

This is the  escenario.

|IPHONE (Wi-fi)| --inet -- |ASA| -- |CUMA|


"SSL failed to set device certificate for trustpoint asa-iphone. Reason:  No device certificate found."

I installed the certificate in my iphone, and in my tls-proxy i  have the truspoint relationed with my iphone

My guide to configure this was ASA-CUMA Step By Step.


https://supportforums.cisco.com/docs/DOC-8402


I will apreciate if any could help me.


Thnks in advance

Labels:
0 Helpful
6 Replies 6

Joseph Martini
Cisco Employee
Cisco Employee

‎10-01-2010 10:48 AM

Make sure you're using a self signed cert generated by the ASA instead of a 3rd party certificate.

0 Helpful

leandro-contino
Level 1
Level 1
In response to Joseph Martini

‎10-01-2010 10:54 AM

Yes, Im using the cert signed or Maybe I think so..

Im sending my tls-proxy config..

TLS-Proxy 'cuma-proxy': ref_cnt 1, seq# 4
  Server proxy:
    Trust-point: asa-iphone
    Authenticate client: FALSE
  Client proxy:
    Trust-point: asa-self-signed-id-cert
    Local dynamic certificate issuer:
    Local dynamic certificate key-pair:
    Cipher suite:  aes128-sha1 aes256-sha1
  Run-time proxies:
    Proxy 0xc97523e0: Class-map: cuma-proxy, Inspect: mmp
          Active sess 0, most sess 1, byte 0

can you say if it is ok or i have to change anything ?

thnks

0 Helpful

Cristian Iconaru
Level 1
Level 1
In response to leandro-contino

‎11-18-2010 02:54 AM

Hi guys,

I have the same problem.

Have you found any workarounds?

Thanks.

Regards

0 Helpful

Cristian Iconaru
Level 1
Level 1
In response to leandro-contino

‎11-18-2010 03:32 AM

Hi,

the problem is that the tls proxy config is pointing to the wrong certificate.

the "asa-iphone" should be the certificate that the ASA presents to the clients.

tls-proxy cuma-proxy
server trust-point asa-iphone
no server authenticate-client
client trust-point asa-self-signed-id-cert
client cipher-suite aes128-sha1 aes256-sha1

Regards

0 Helpful

jubetz
Level 1
Level 1

‎11-19-2010 09:13 AM

This error:

"SSL failed to set device certificate for trustpoint asa-iphone. Reason:  No device certificate found."

Means that there is no ID certifcate in the trustpoint named asa-iphone.  So the ASA doesn't have a cert in that trustpoint to provide as its identity in the SSL handshake.

You may have brought the certifcate into the trustpoint using the "crypto ca authenticate ..." command rather then the "crypto ca import identity-certificate"

You must use a verisign or geotrust signed certificate with the CUMA proxy and you must have the entire cert chain installed on the ASA.

HTH,

jb

0 Helpful

Cristian Iconaru
Level 1
Level 1
In response to jubetz

‎11-22-2010 02:42 AM

Hi Justin,

i got also this error:

MMP:: received 538 bytes from outside:IP_OUT/1956 to inside:IP_IN/5443
MMP:: unsupported header
MMP:: error=-1 from outside:IP_OUT/1956 to inside:IP_IN/5443

I saw that one of the MMP inspection actions is: "Verifies that client MMP headers are well-formed. Upon detection of a malformed header, the TCP session is terminated."

do you have any ideas? (browser/config problems?)

Thanks.

Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents