10-01-2010 07:03 AM - edited 03-19-2019 01:40 AM
Hello, Im trying to connect Iphone to CUMA with ASA like proxy, and I having the next error in my ASA.
This is the escenario.
|IPHONE (Wi-fi)| --inet -- |ASA| -- |CUMA|
"SSL failed to set device certificate for trustpoint asa-iphone. Reason: No device certificate found."
I installed the certificate in my iphone, and in my tls-proxy i have the truspoint relationed with my iphone
My guide to configure this was ASA-CUMA Step By Step.
https://supportforums.cisco.com/docs/DOC-8402
I will apreciate if any could help me.
Thnks in advance
10-01-2010 10:48 AM
Make sure you're using a self signed cert generated by the ASA instead of a 3rd party certificate.
10-01-2010 10:54 AM
Yes, Im using the cert signed or Maybe I think so..
Im sending my tls-proxy config..
TLS-Proxy 'cuma-proxy': ref_cnt 1, seq# 4
Server proxy:
Trust-point: asa-iphone
Authenticate client: FALSE
Client proxy:
Trust-point: asa-self-signed-id-cert
Local dynamic certificate issuer:
Local dynamic certificate key-pair:
Cipher suite: aes128-sha1 aes256-sha1
Run-time proxies:
Proxy 0xc97523e0: Class-map: cuma-proxy, Inspect: mmp
Active sess 0, most sess 1, byte 0
can you say if it is ok or i have to change anything ?
thnks
11-18-2010 02:54 AM
Hi guys,
I have the same problem.
Have you found any workarounds?
Thanks.
Regards
11-18-2010 03:32 AM
Hi,
the problem is that the tls proxy config is pointing to the wrong certificate.
the "asa-iphone" should be the certificate that the ASA presents to the clients.
tls-proxy cuma-proxy
server trust-point asa-iphone
no server authenticate-client
client trust-point asa-self-signed-id-cert
client cipher-suite aes128-sha1 aes256-sha1
Regards
11-19-2010 09:13 AM
This error:
"SSL failed to set device certificate for trustpoint asa-iphone. Reason: No device certificate found."
Means that there is no ID certifcate in the trustpoint named asa-iphone. So the ASA doesn't have a cert in that trustpoint to provide as its identity in the SSL handshake.
You may have brought the certifcate into the trustpoint using the "crypto ca authenticate ..." command rather then the "crypto ca import
You must use a verisign or geotrust signed certificate with the CUMA proxy and you must have the entire cert chain installed on the ASA.
HTH,
jb
11-22-2010 02:42 AM
Hi Justin,
i got also this error:
MMP:: received 538 bytes from outside:IP_OUT/1956 to inside:IP_IN/5443
MMP:: unsupported header
MMP:: error=-1 from outside:IP_OUT/1956 to inside:IP_IN/5443
I saw that one of the MMP inspection actions is: "Verifies that client MMP headers are well-formed. Upon detection of a malformed header, the TCP session is terminated."
do you have any ideas? (browser/config problems?)
Thanks.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide