Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
448
Views
5
Helpful
5
Replies

ASA unwanted certificate

Bob Greer
Level 4
Level 4

‎10-22-2013 09:16 AM - edited ‎03-11-2019 07:54 PM

Hi there,

Thanks for reading!

We've got a Series 800 SOHO with Ezvpn running.  It get connected to our internal network through our ASA 5520 just fine.  We have clients on the SOHO side which can ping and RDC to servers inside our network.

The SOHO clients are using MS Lync 2013 (instant messenger) which fails.  Packet captures reveal that the external Lync clients are receiving an SSL cert from the firewall when they should be receiving from the internal Lync server.  Running a capture against internal clients shows that working inside clients receive our GoDaddy cert and the program works.

Any thoughts on this?

Thanks!

Bob                  

Labels:
0 Helpful
5 Replies 5

Mohammad Alhyari
Cisco Employee
Cisco Employee

‎10-22-2013 10:10 AM

Hi Bob ,

If you are getting the ASA certificate , then there is  a problem ?   could you please paste the ASA config ?  

The ASA should never intercept the communication unless it thinks it owns that thing ... please also provide a source and destination addresses .

Moh.

0 Helpful

Bob Greer
Level 4
Level 4
In response to Mohammad Alhyari

‎10-22-2013 11:04 AM

Hi Moh,

Thanks for writing.

The behavior is unexpected.  The capture shows client-side sip-tls / Client Hello packets getting all the way to their appropriate internal server destination.  The returning Server Hello / Certificate packets (from the appropriate IP address to the appropriate IP address) names a specific CAP-RTP-001 certificate that is part of the 5520 configuration.

The client application throws a certificate error, apparently having received a certificate other than that from the intended server. 

The senior guys around here would drag their feet about an entire copy / paste of our FW config.  Are there relevant sections you'd like to see which I can snippet into this thread?

Thanks again for weighing in!

Bob

0 Helpful

Mohammad Alhyari
Cisco Employee
Cisco Employee
In response to Bob Greer

‎10-22-2013 11:18 AM

So seems you have sip proxy on the ASA . that intercepts sips from the clients..

0 Helpful

Bob Greer
Level 4
Level 4
In response to Mohammad Alhyari

‎10-22-2013 03:00 PM

Hi Moh,

I have an answer. 

This is expected behavior (although it was new to me).  We had configured a TLS Proxy so it was handling TLS requests according to our configuration.  We have staff who work from home with VOIP phones and need to have the firewall hand out certs to those clients.

We found that we were inspecting SIP in our phone proxy policy map and that was the connection.  We modified that map to exclude SIP from inspection and those packets are now getting to their destination and the Lync clients are working.

Thanks again for you willingness!

Bob

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Bob Greer

‎10-22-2013 04:16 PM

Thanks for posting the resolution. +5

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card