Anyconnect 3.1 - The certificate on the secured gateway is invalid

Answered Question
Nov 27th, 2012

Hi guys,

I have a problem with the Anyconnect 3.1.01065.

When I try to connect I get the "The certificate on the secured gateway is invalid. A VPN connection will not be established".

The Certificate is a self signed cert.

Anyconnect 2.5 woks without problems.

ASA image: 8.4(2).

[27.11.2012 15:58:27] Ready to connect.

[27.11.2012 16:01:49] Contacting IP_WAN.

[27.11.2012 16:01:52] Please enter your username and password.

[27.11.2012 16:02:01] User credentials entered.

[27.11.2012 16:02:02] Establishing VPN session...

[27.11.2012 16:02:03] Checking for profile updates...

[27.11.2012 16:02:03] Checking for product updates...

[27.11.2012 16:02:03] Checking for customization updates...

[27.11.2012 16:02:03] Performing any required updates...

[27.11.2012 16:02:08] Establishing VPN session...

[27.11.2012 16:02:08] Establishing VPN - Initiating connection...

[27.11.2012 16:02:09] Disconnect in progress, please wait...

[27.11.2012 16:02:13] Connection attempt has failed.

Has anyone had this issue before?

Thanks a lot.

I have this problem too.
0 votes
Correct Answer by jportugu about 1 year 4 months ago

Hi Cristian,

Please check this out:

CSCua89091 Bug Details

the local CA needs to support EKU and other necessary attributes

Symptom:
Currently the local CA server on the ASA doesn't support attributes like the EKU. This enhancement request is to add support for that.

Workaround:
configure cert matching on client profile

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCua89091

And the following:

DOC: Anyconnect supports specific Extended Key Usage attributes in certs

Symptom:
When using certificates with the anyconnect client if the certificate installed on the ASA doesn't have the EKU attribute set to "server-authentication" then the anyconnect client will reject the ASA's certificate as invalid. Similarly the client's id certificate also needs to be "client-authentication" otherwise the ASA will reject it..

Conditions:
Use an id certificate on the ASA that has an EKU other than "server-authentication".
Use an id certificate on the client that has an EKU other than "client-authentication".

Workaround:
Generate a new ID certificate with the correct Extended Key Usage

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty61472

So at this point you would need to configure certificate matching or use a previous version of the AnyConnect client.

HTH.

Please rate any helpful posts



  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
jportugu Tue, 11/27/2012 - 07:24

Hi Cristian,

Please check this out:

CSCua89091 Bug Details

the local CA needs to support EKU and other necessary attributes

Symptom:
Currently the local CA server on the ASA doesn't support attributes like the EKU. This enhancement request is to add support for that.

Workaround:
configure cert matching on client profile

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCua89091

And the following:

DOC: Anyconnect supports specific Extended Key Usage attributes in certs

Symptom:
When using certificates with the anyconnect client if the certificate installed on the ASA doesn't have the EKU attribute set to "server-authentication" then the anyconnect client will reject the ASA's certificate as invalid. Similarly the client's id certificate also needs to be "client-authentication" otherwise the ASA will reject it..

Conditions:
Use an id certificate on the ASA that has an EKU other than "server-authentication".
Use an id certificate on the client that has an EKU other than "client-authentication".

Workaround:
Generate a new ID certificate with the correct Extended Key Usage

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty61472

So at this point you would need to configure certificate matching or use a previous version of the AnyConnect client.

HTH.

Please rate any helpful posts



cristi_iconaru Tue, 11/27/2012 - 07:51

great!

I was on the same page trying to figure it out .

so basically the profile must be configured on the client PC to match the ASA self signed cert attributes.

I only have the hostname defined in the cert.

Status: Available

  Certificate Serial Number: 111111

  Certificate Usage: General Purpose

  Public Key Type: RSA (1024 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    hostname=ASA-FW

  Subject Name:

    hostname=ASA-FW

  Validity Date:

    start date: 00:53:06 CEDT Apr 17 2012

    end   date: 00:53:06 CEDT Apr 15 2022

  Associated Trustpoints: SSL-Trustpoint

which attribute will it be?

Thanks.

jportugu Tue, 11/27/2012 - 08:09

Hi Cristian,

You could check for the CN value in the certificate:

CN

ASA-FW

HTH.

Please rate any helpful posts

cristi_iconaru Wed, 11/28/2012 - 02:11

what do you think? should i generate a new self signed cert?

this one is pretty basic.

crypto ca trustpoint SSL-Trustpoint

enrollment self

keypair sslvpnkeypair

crl configure

it has no CN/FQDN/etc..only "Issued to", "Issued by" and the keys.

Thanks.

cristi_iconaru Wed, 11/28/2012 - 03:31

I added the CN, regenerated the cert, changed the Anyconnect profile and it works!

Thanks a lot!

cristi_iconaru Wed, 11/28/2012 - 05:08

Hi,

short question.

Is there a way to disable the warning generated from using self signed certs?

I would like to make the process as seamless as possible.

Thanks.

jportugu Wed, 11/28/2012 - 07:25

Hi Cristian,

For this message to go away, you need to install your ASA certificate on each machine (you can do it through the web browser).

HTH.

Portu.

Please rate any helpful posts

cristi_iconaru Thu, 11/29/2012 - 00:16

Hi Portu,

I've just tried, the connection works but the warning keeps coming.

- CN=abc.example.com

- DNS - abc.example.com resolves to ASA_IP

- CN matches the DNS

- Certificate was installed on client PC

Where does the Anyconnect search/check for the certs?

Thanks.

cristi_iconaru Fri, 11/30/2012 - 05:21

Hi Portu,

I tried with a trial cert from Thawte but the warning keeps coming.

any idea why?

Thanks.

Actions

Login or Register to take actions

This Discussion

Posted November 27, 2012 at 7:08 AM
Stats:
Replies:13 Avg. Rating:5
Views:8423 Votes:0
Shares:0
Categories: AnyConnect
+

Related Content

Discussions Leaderboard