Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Anyconnect 3.1 - The certificate on the secured gateway is invalid

Hi guys,

I have a problem with the Anyconnect 3.1.01065.

When I try to connect I get the "The certificate on the secured gateway is invalid. A VPN connection will not be established".

The Certificate is a self signed cert.

Anyconnect 2.5 woks without problems.

ASA image: 8.4(2).

[27.11.2012 15:58:27] Ready to connect.

[27.11.2012 16:01:49] Contacting IP_WAN.

[27.11.2012 16:01:52] Please enter your username and password.

[27.11.2012 16:02:01] User credentials entered.

[27.11.2012 16:02:02] Establishing VPN session...

[27.11.2012 16:02:03] Checking for profile updates...

[27.11.2012 16:02:03] Checking for product updates...

[27.11.2012 16:02:03] Checking for customization updates...

[27.11.2012 16:02:03] Performing any required updates...

[27.11.2012 16:02:08] Establishing VPN session...

[27.11.2012 16:02:08] Establishing VPN - Initiating connection...

[27.11.2012 16:02:09] Disconnect in progress, please wait...

[27.11.2012 16:02:13] Connection attempt has failed.

Has anyone had this issue before?

Thanks a lot.

1 ACCEPTED SOLUTION

Accepted Solutions

Anyconnect 3.1 - The certificate on the secured gateway is inval

Hi Cristian,

Please check this out:

CSCua89091 Bug Details

the local CA needs to support EKU and other necessary attributes

Symptom:
Currently the local CA server on the ASA doesn't support attributes like the EKU. This enhancement request is to add support for that.

Workaround:
configure cert matching on client profile

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCua89091

And the following:

DOC: Anyconnect supports specific Extended Key Usage attributes in certs

Symptom:
When using certificates with the anyconnect client if the certificate installed on the ASA doesn't have the EKU attribute set to "server-authentication" then the anyconnect client will reject the ASA's certificate as invalid. Similarly the client's id certificate also needs to be "client-authentication" otherwise the ASA will reject it..

Conditions:
Use an id certificate on the ASA that has an EKU other than "server-authentication".
Use an id certificate on the client that has an EKU other than "client-authentication".

Workaround:
Generate a new ID certificate with the correct Extended Key Usage

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty61472

So at this point you would need to configure certificate matching or use a previous version of the AnyConnect client.

HTH.

Please rate any helpful posts



13 REPLIES

Anyconnect 3.1 - The certificate on the secured gateway is inval

Hi Cristian,

Please check this out:

CSCua89091 Bug Details

the local CA needs to support EKU and other necessary attributes

Symptom:
Currently the local CA server on the ASA doesn't support attributes like the EKU. This enhancement request is to add support for that.

Workaround:
configure cert matching on client profile

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCua89091

And the following:

DOC: Anyconnect supports specific Extended Key Usage attributes in certs

Symptom:
When using certificates with the anyconnect client if the certificate installed on the ASA doesn't have the EKU attribute set to "server-authentication" then the anyconnect client will reject the ASA's certificate as invalid. Similarly the client's id certificate also needs to be "client-authentication" otherwise the ASA will reject it..

Conditions:
Use an id certificate on the ASA that has an EKU other than "server-authentication".
Use an id certificate on the client that has an EKU other than "client-authentication".

Workaround:
Generate a new ID certificate with the correct Extended Key Usage

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty61472

So at this point you would need to configure certificate matching or use a previous version of the AnyConnect client.

HTH.

Please rate any helpful posts



Anyconnect 3.1 - The certificate on the secured gateway is inval

Further information:

AnyConnect Profile Editor, Certificate Matching

HTH.

Portu.

Please rate any helpful posts

New Member

Anyconnect 3.1 - The certificate on the secured gateway is inval

great!

I was on the same page trying to figure it out .

so basically the profile must be configured on the client PC to match the ASA self signed cert attributes.

I only have the hostname defined in the cert.

Status: Available

  Certificate Serial Number: 111111

  Certificate Usage: General Purpose

  Public Key Type: RSA (1024 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    hostname=ASA-FW

  Subject Name:

    hostname=ASA-FW

  Validity Date:

    start date: 00:53:06 CEDT Apr 17 2012

    end   date: 00:53:06 CEDT Apr 15 2022

  Associated Trustpoints: SSL-Trustpoint

which attribute will it be?

Thanks.

Anyconnect 3.1 - The certificate on the secured gateway is inval

Hi Cristian,

You could check for the CN value in the certificate:

CN

ASA-FW

HTH.

Please rate any helpful posts

New Member

Anyconnect 3.1 - The certificate on the secured gateway is inval

Hi,

I'll try it tomorrow and let you know.

Thanks.

Anyconnect 3.1 - The certificate on the secured gateway is inval

Sounds good to me

New Member

Anyconnect 3.1 - The certificate on the secured gateway is inval

I've tried it with the following profile but it doesn't work. same error.

http://schemas.xmlsoap.org/encoding/">

   

       

            CN

            ASA-FW

       

   

Thanks.

New Member

Anyconnect 3.1 - The certificate on the secured gateway is inval

what do you think? should i generate a new self signed cert?

this one is pretty basic.

crypto ca trustpoint SSL-Trustpoint

enrollment self

keypair sslvpnkeypair

crl configure

it has no CN/FQDN/etc..only "Issued to", "Issued by" and the keys.

Thanks.

New Member

Anyconnect 3.1 - The certificate on the secured gateway is inval

I added the CN, regenerated the cert, changed the Anyconnect profile and it works!

Thanks a lot!

New Member

Anyconnect 3.1 - The certificate on the secured gateway is inval

Hi,

short question.

Is there a way to disable the warning generated from using self signed certs?

I would like to make the process as seamless as possible.

Thanks.

Anyconnect 3.1 - The certificate on the secured gateway is inval

Hi Cristian,

For this message to go away, you need to install your ASA certificate on each machine (you can do it through the web browser).

HTH.

Portu.

Please rate any helpful posts

New Member

Anyconnect 3.1 - The certificate on the secured gateway is inval

Hi Portu,

I've just tried, the connection works but the warning keeps coming.

- CN=abc.example.com

- DNS - abc.example.com resolves to ASA_IP

- CN matches the DNS

- Certificate was installed on client PC

Where does the Anyconnect search/check for the certs?

Thanks.

New Member

Anyconnect 3.1 - The certificate on the secured gateway is inval

Hi Portu,

I tried with a trial cert from Thawte but the warning keeps coming.

any idea why?

Thanks.

21626
Views
0
Helpful
13
Replies