06-18-2014 02:41 PM - edited 02-21-2020 07:41 PM
Hi Everyone,
We have valid cert from CA and it is successfully installed on the ASA associated to ASA outside interface.
While using anyconnect ipsec IKeV2 with any connect pre deployment when i make change to anyconnect profile on ASA and user
connects first time he gets warning message below
Security Warning Untrusted VPN Server Certificate
Options are
Connect Anyway Cancel Connection
I click on connect anyway and anyconnect is connected.
Verified that CN is set to FQDN.
We are not using SSL certificate.
when i connect second time above cert warning error does not comes.
This cert warning error comes only when changes are made to anyconnect profile and user connects again to ASA.
We are not using cert based authen.
Any ideas how can i fix this issue?
Regards
MAhesh
Solved! Go to Solution.
06-19-2014 10:00 AM
You can remove and reinstall the CA certificate. It will require you first remove any configured services dependent on it, binding to the interface etc.
I'm not convinced that would fix what you're seeing though and it wouldn't be my first choice.
I'd first check things like why does the client not trust the certificate (checking for instance by simply browsing to the ASA interface and seeing what your browser reports as the issue (Firefox and Chrome are both pretty useful in telling you of any issue with the certificate if you expand the details), what's the profile content and changes, etc.
Can you open a TAC case?
06-19-2014 10:41 AM
Mahesh,
Your certificate (referenced in your links above) is the self-signed one created by the ASA and not the 3rd party CA-issued one. So you are getting both messages as the certificate information reports it is only valid for the device's IP address, not the FQDN ( = Common Name in X.509 lexicon) and it is self-signed by your device. Using Chrome browser (or Firefox) will allow you to see this information more readily than IE.
That would cause the problems you are reporting.
06-19-2014 07:15 AM
HI Mahesh,
I'm speculating a bit but as you know from earlier conversation the ASA client-services function is normally used to push out any profile updates during session establishment BEFORE IPsec is negotiated. That normally happens via SSL (and seamless SSL is based on the client trusting the ASA certificate).
Since you have chosen to not use that service, the ASA cannot update the profile until after IPsec has been established. Once the updated profile has been deployed, subsequent connections do not detect the change and try (unsuccessfully) to use the inactive client services feature.
I think maybe the developers did not anticipate people using IPsec IKEv2 without enabling SSL and client services. (Just my guess)
06-19-2014 07:40 AM
Hi Marvin,
SSL port 443 is already enabled for client services.
Should i do wireshark packet capture?
if yes what should i look for?
Regards
Mahesh
06-19-2014 07:53 AM
Mahesh,
How do you have client services enabled on port 443 and set a CN = FQDN if you're not using an SSL certificate?
06-19-2014 08:00 AM
Hi Marvin,
We ordered general certificate say for server not SSL cert.
If you remember i asked you in earlier post while ordering cert.
You told that we can order any general purpose server cert.
Regards
MAhesh
Regard
06-19-2014 08:22 AM
An X.509 certificate is used to identify a server and the private/public keypair are used to encrypt/decrypt communications for services that are written to use the certificate.The transport mechanism for that secure communications is SSL. See http://en.wikipedia.org/wiki/Secure_Sockets_Layer
Different CA vendors package their offerings in ways that are part marketing / part technical. That doesn't change the underlying technology.
It's hard to say exactly what's happening with your certificate without examining it firsthand. If it's bound to your outside interface, the ASA trusts the issuing authority (potentially having loaded the intermediate certificate chain and trusted any intermediate CA) and is from a CA that your client trusts then you should never see an untrusted VPN server certificate warning.
06-19-2014 09:13 AM
Hi Marvin,
Cert is bounded to ASA outside interface.
Issue only occurs when changes are made to xml profile on
ASA and users connect first time after that.
Afterwards there is no cert warning
Is there any way i can reinstall the CA cert?
Regards
MAhesh
06-19-2014 10:00 AM
You can remove and reinstall the CA certificate. It will require you first remove any configured services dependent on it, binding to the interface etc.
I'm not convinced that would fix what you're seeing though and it wouldn't be my first choice.
I'd first check things like why does the client not trust the certificate (checking for instance by simply browsing to the ASA interface and seeing what your browser reports as the issue (Firefox and Chrome are both pretty useful in telling you of any issue with the certificate if you expand the details), what's the profile content and changes, etc.
Can you open a TAC case?
06-19-2014 10:12 AM
Hi Marvin,
When i use IE to open ASA outside interface i get
There is a problem with this website's security certificate. | |||
The security certificate presented by this website was not issued by a trusted certificate authority. The security certificate presented by this website was issued for a different website's address. | |||
We recommend that you close this webpage and do not continue to this website. | |||
Click here to close this webpage. | |||
Continue to this website (not recommended). | |||
Yes i can open TAC case
Regards MAhesh |
|
06-19-2014 10:41 AM
Mahesh,
Your certificate (referenced in your links above) is the self-signed one created by the ASA and not the 3rd party CA-issued one. So you are getting both messages as the certificate information reports it is only valid for the device's IP address, not the FQDN ( = Common Name in X.509 lexicon) and it is self-signed by your device. Using Chrome browser (or Firefox) will allow you to see this information more readily than IE.
That would cause the problems you are reporting.
06-19-2014 04:15 PM
Hi Marvin,
I tested with firefox and here is error
The certificate is not trusted because it is self-signed. The certificate is only valid for x.x.x.x (IP of outside interface of ASA).
Even though ASA has no self signed cert.
Any idea how can i fix this?
Regards
Mahesh
06-19-2014 04:53 PM
Yes, I saw that same error Mahesh.
You may have added an externally issued certificate but your ASA is most definitely using its self-signed certificate.
Look in ASDM under Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and then click the Device Certificate button on the right. Make sure you have chosen the CA-issued certificate there.
06-19-2014 05:03 PM
Hi MArvin,
I checked that already many times and again checked and cert is issued by CA.
Also CN shows xyz.com which is DNS of outside IP of ASA.
Also when i run the command sh crypto ca cert
it shows issued by CA and also CN matches to DNS name of ASA outside IP.
Any next steps?
Regards
MAhesh
06-20-2014 06:16 AM
Mahesh,
You might try removing and replacing the certificate. For whatever reason, the solf-signed is showing as associated in the live configuration even though the cli shows otherwise.
If that fails, I'd open a TAC case.
06-20-2014 07:04 PM
Hi Marvin,
Issue is solved.Cert was not linked to ASA physical interface.
Ran the below command
ssl trust-point my.digicert.trustpoint outside
after adding above config i do not see any invalid cert warning messages at all.
Do you why we need to link cert at two different places one is anyconnect and other is outside interface?
Thanks for guiding me step by step to fix the issue.
Regards
MAhesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: