Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA unwanted certificate

Hi there,

Thanks for reading!

We've got a Series 800 SOHO with Ezvpn running.  It get connected to our internal network through our ASA 5520 just fine.  We have clients on the SOHO side which can ping and RDC to servers inside our network.

The SOHO clients are using MS Lync 2013 (instant messenger) which fails.  Packet captures reveal that the external Lync clients are receiving an SSL cert from the firewall when they should be receiving from the internal Lync server.  Running a capture against internal clients shows that working inside clients receive our GoDaddy cert and the program works.

Any thoughts on this?

Thanks!

Bob                  

5 REPLIES
Cisco Employee

ASA unwanted certificate

Hi Bob ,

If you are getting the ASA certificate , then there is  a problem ?   could you please paste the ASA config ?  

The ASA should never intercept the communication unless it thinks it owns that thing ... please also provide a source and destination addresses .

Moh.

New Member

ASA unwanted certificate

Hi Moh,

Thanks for writing.

The behavior is unexpected.  The capture shows client-side sip-tls / Client Hello packets getting all the way to their appropriate internal server destination.  The returning Server Hello / Certificate packets (from the appropriate IP address to the appropriate IP address) names a specific CAP-RTP-001 certificate that is part of the 5520 configuration.

The client application throws a certificate error, apparently having received a certificate other than that from the intended server. 

The senior guys around here would drag their feet about an entire copy / paste of our FW config.  Are there relevant sections you'd like to see which I can snippet into this thread?

Thanks again for weighing in!

Bob

Cisco Employee

ASA unwanted certificate

So seems you have sip proxy on the ASA . that intercepts sips from the clients..

New Member

ASA unwanted certificate

Hi Moh,

I have an answer. 

This is expected behavior (although it was new to me).  We had configured a TLS Proxy so it was handling TLS requests according to our configuration.  We have staff who work from home with VOIP phones and need to have the firewall hand out certs to those clients.

We found that we were inspecting SIP in our phone proxy policy map and that was the connection.  We modified that map to exclude SIP from inspection and those packets are now getting to their destination and the Lync clients are working.

Thanks again for you willingness!

Bob

Hall of Fame Super Silver

ASA unwanted certificate

Thanks for posting the resolution. +5

192
Views
5
Helpful
5
Replies
CreatePlease to create content