cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
37731
Views
0
Helpful
14
Replies

Anyconnect 3.1 - The certificate on the secured gateway is invalid

Hi guys,

I have a problem with the Anyconnect 3.1.01065.

When I try to connect I get the "The certificate on the secured gateway is invalid. A VPN connection will not be established".

The Certificate is a self signed cert.

Anyconnect 2.5 woks without problems.

ASA image: 8.4(2).

[27.11.2012 15:58:27] Ready to connect.

[27.11.2012 16:01:49] Contacting IP_WAN.

[27.11.2012 16:01:52] Please enter your username and password.

[27.11.2012 16:02:01] User credentials entered.

[27.11.2012 16:02:02] Establishing VPN session...

[27.11.2012 16:02:03] Checking for profile updates...

[27.11.2012 16:02:03] Checking for product updates...

[27.11.2012 16:02:03] Checking for customization updates...

[27.11.2012 16:02:03] Performing any required updates...

[27.11.2012 16:02:08] Establishing VPN session...

[27.11.2012 16:02:08] Establishing VPN - Initiating connection...

[27.11.2012 16:02:09] Disconnect in progress, please wait...

[27.11.2012 16:02:13] Connection attempt has failed.

Has anyone had this issue before?

Thanks a lot.

1 Accepted Solution

Accepted Solutions

Hi Cristian,

Please check this out:

CSCua89091 Bug Details

the local CA needs to support EKU and other necessary attributes

Symptom:
Currently the local CA server on the ASA doesn't support attributes like the EKU. This enhancement request is to add support for that.

Workaround:
configure cert matching on client profile

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCua89091

And the following:

DOC: Anyconnect supports specific Extended Key Usage attributes in certs

Symptom:
When using certificates with the anyconnect client if the certificate installed on the ASA doesn't have the EKU attribute set to "server-authentication" then the anyconnect client will reject the ASA's certificate as invalid. Similarly the client's id certificate also needs to be "client-authentication" otherwise the ASA will reject it..

Conditions:
Use an id certificate on the ASA that has an EKU other than "server-authentication".
Use an id certificate on the client that has an EKU other than "client-authentication".

Workaround:
Generate a new ID certificate with the correct Extended Key Usage

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty61472

So at this point you would need to configure certificate matching or use a previous version of the AnyConnect client.

HTH.

Please rate any helpful posts



View solution in original post

14 Replies 14

Hi Cristian,

Please check this out:

CSCua89091 Bug Details

the local CA needs to support EKU and other necessary attributes

Symptom:
Currently the local CA server on the ASA doesn't support attributes like the EKU. This enhancement request is to add support for that.

Workaround:
configure cert matching on client profile

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCua89091

And the following:

DOC: Anyconnect supports specific Extended Key Usage attributes in certs

Symptom:
When using certificates with the anyconnect client if the certificate installed on the ASA doesn't have the EKU attribute set to "server-authentication" then the anyconnect client will reject the ASA's certificate as invalid. Similarly the client's id certificate also needs to be "client-authentication" otherwise the ASA will reject it..

Conditions:
Use an id certificate on the ASA that has an EKU other than "server-authentication".
Use an id certificate on the client that has an EKU other than "client-authentication".

Workaround:
Generate a new ID certificate with the correct Extended Key Usage

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty61472

So at this point you would need to configure certificate matching or use a previous version of the AnyConnect client.

HTH.

Please rate any helpful posts



Further information:

AnyConnect Profile Editor, Certificate Matching

HTH.

Portu.

Please rate any helpful posts

great!

I was on the same page trying to figure it out .

so basically the profile must be configured on the client PC to match the ASA self signed cert attributes.

I only have the hostname defined in the cert.

Status: Available

  Certificate Serial Number: 111111

  Certificate Usage: General Purpose

  Public Key Type: RSA (1024 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    hostname=ASA-FW

  Subject Name:

    hostname=ASA-FW

  Validity Date:

    start date: 00:53:06 CEDT Apr 17 2012

    end   date: 00:53:06 CEDT Apr 15 2022

  Associated Trustpoints: SSL-Trustpoint

which attribute will it be?

Thanks.

Hi Cristian,

You could check for the CN value in the certificate:

CN

ASA-FW

HTH.

Please rate any helpful posts

Hi,

I'll try it tomorrow and let you know.

Thanks.

Sounds good to me

I've tried it with the following profile but it doesn't work. same error.

http://schemas.xmlsoap.org/encoding/">

   

       

            CN

            ASA-FW

       

   

Thanks.

what do you think? should i generate a new self signed cert?

this one is pretty basic.

crypto ca trustpoint SSL-Trustpoint

enrollment self

keypair sslvpnkeypair

crl configure

it has no CN/FQDN/etc..only "Issued to", "Issued by" and the keys.

Thanks.

I added the CN, regenerated the cert, changed the Anyconnect profile and it works!

Thanks a lot!

Hi,

short question.

Is there a way to disable the warning generated from using self signed certs?

I would like to make the process as seamless as possible.

Thanks.

Hi Cristian,

For this message to go away, you need to install your ASA certificate on each machine (you can do it through the web browser).

HTH.

Portu.

Please rate any helpful posts

Hi Portu,

I've just tried, the connection works but the warning keeps coming.

- CN=abc.example.com

- DNS - abc.example.com resolves to ASA_IP

- CN matches the DNS

- Certificate was installed on client PC

Where does the Anyconnect search/check for the certs?

Thanks.

Hi Portu,

I tried with a trial cert from Thawte but the warning keeps coming.

any idea why?

Thanks.

I have same problem too. I am using version 4.4.02039 with Mac O/S 10.13.2 (17C88) (High Sierra)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: