Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1593
Views
0
Helpful
14
Replies

Anyconnect Cert Warning error when changes to xml file are made.

Go to solution
mahesh18
Level 6
Level 6

‎06-18-2014 02:41 PM - edited ‎02-21-2020 07:41 PM

 

Hi Everyone,

 

We have valid cert from CA and it is successfully installed on the ASA associated to ASA outside interface.

While using anyconnect ipsec IKeV2 with any connect pre deployment when i make change to anyconnect profile on ASA and user

connects first time he gets warning message  below

 

Security Warning Untrusted VPN Server Certificate

 

Options are

Connect Anyway             Cancel Connection

 

I click on connect anyway and anyconnect is connected.

Verified  that CN is set to FQDN.

We are not using SSL certificate.

when i connect second time above cert warning error does not comes.

This cert warning error comes only when changes are made to anyconnect profile and user connects again to ASA.

We are not using cert based authen.

 

Any ideas how can i fix this issue?

 

Regards

MAhesh

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎06-19-2014 10:00 AM

You can remove and reinstall the CA certificate. It will require you first remove any configured services dependent on it, binding to the interface etc.

I'm not convinced that would fix what you're seeing though and it wouldn't be my first choice.

I'd first check things like why does the client not trust the certificate (checking for instance by simply browsing to the ASA interface and seeing what your browser reports as the issue  (Firefox and Chrome are both pretty useful in telling you of any issue with the certificate if you expand the details), what's the profile content and changes, etc.

Can you open a TAC case?

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎06-19-2014 10:41 AM

Mahesh,

Your certificate (referenced in your links above) is the self-signed one created by the ASA and not the 3rd party CA-issued one. So you are getting both messages as the certificate information reports it is only valid for the device's IP address, not the FQDN ( = Common Name in X.509 lexicon) and it is self-signed by your device. Using Chrome browser (or Firefox) will allow you to see this information more readily than IE.

That would cause the problems you are reporting.

View solution in original post

0 Helpful
14 Replies 14

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-19-2014 07:15 AM

HI Mahesh,

I'm speculating a bit but as you know from earlier conversation the ASA client-services function is normally used to push out any profile updates during session establishment BEFORE IPsec is negotiated. That normally happens via SSL (and seamless SSL is based on the client trusting the ASA certificate).

Since you have chosen to not use that service, the ASA cannot update the profile until after IPsec has been established. Once the updated profile has been deployed, subsequent connections do not detect the change and try (unsuccessfully) to use the inactive client services feature.

I think maybe the developers did not anticipate people using IPsec IKEv2 without enabling SSL and client services. (Just my guess)

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎06-19-2014 07:40 AM

 

Hi Marvin,

 

SSL port 443 is already enabled for client services.

Should i do wireshark packet capture?

if yes what should i look for?

Regards

Mahesh

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎06-19-2014 07:53 AM

Mahesh,

How do you have client services enabled on port 443 and set a CN = FQDN if you're not using an SSL certificate?

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎06-19-2014 08:00 AM

 

Hi Marvin,

We ordered general certificate say for server  not SSL cert.

If you remember i asked you in earlier post while ordering cert.

You told that we can order any general purpose server cert.

Regards

MAhesh

 

Regard

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎06-19-2014 08:22 AM

An X.509 certificate is used to identify a server and the private/public keypair are used to encrypt/decrypt communications for services that are written to use the certificate.The transport mechanism for that secure communications is SSL. See http://en.wikipedia.org/wiki/Secure_Sockets_Layer

Different CA vendors package their offerings in ways that are part marketing / part technical. That doesn't change the underlying technology.

It's hard to say exactly what's happening with your certificate without examining it firsthand. If it's bound to your outside interface, the ASA trusts the issuing authority (potentially having loaded the intermediate certificate chain and trusted any intermediate CA) and is from a CA that your client trusts then you should never see an untrusted VPN server certificate warning.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎06-19-2014 09:13 AM

 

Hi Marvin,

Cert is bounded to ASA outside interface.

Issue only occurs when changes are made to xml profile on

ASA and users connect first time after that.

Afterwards there is no cert warning

Is there any way i can reinstall the CA  cert?

Regards

MAhesh

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎06-19-2014 10:00 AM

You can remove and reinstall the CA certificate. It will require you first remove any configured services dependent on it, binding to the interface etc.

I'm not convinced that would fix what you're seeing though and it wouldn't be my first choice.

I'd first check things like why does the client not trust the certificate (checking for instance by simply browsing to the ASA interface and seeing what your browser reports as the issue  (Firefox and Chrome are both pretty useful in telling you of any issue with the certificate if you expand the details), what's the profile content and changes, etc.

Can you open a TAC case?

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎06-19-2014 10:12 AM

 

Hi Marvin,

 

When i use IE to open  ASA outside interface i get

Shield icon

There is a problem with this website's security certificate.

 

 
 
 

 

The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website was issued for a different website's address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
 

We recommend that you close this webpage and do not continue to this website.

 

Recommended iconClick here to close this webpage.

 

Not recommended iconContinue to this website (not recommended).

Yes i can open TAC case

 

 

Regards

MAhesh

 

More information

More information

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎06-19-2014 10:41 AM

Mahesh,

Your certificate (referenced in your links above) is the self-signed one created by the ASA and not the 3rd party CA-issued one. So you are getting both messages as the certificate information reports it is only valid for the device's IP address, not the FQDN ( = Common Name in X.509 lexicon) and it is self-signed by your device. Using Chrome browser (or Firefox) will allow you to see this information more readily than IE.

That would cause the problems you are reporting.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎06-19-2014 04:15 PM

 

Hi Marvin,

 

I tested with firefox and here is error

 

The certificate is not trusted because it is self-signed. The certificate is only valid for x.x.x.x (IP of outside interface of ASA).

Even though ASA has no self signed cert.

Any idea how can i fix this?

Regards

Mahesh

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎06-19-2014 04:53 PM

Yes, I saw that same error Mahesh.

You may have added an externally issued certificate but your ASA is most definitely using its self-signed certificate.

Look in ASDM under Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and then click the Device Certificate button on the right. Make sure you have chosen the CA-issued certificate there.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎06-19-2014 05:03 PM

 

Hi MArvin,

 

I checked that already many times and again checked and cert is issued by CA.

Also CN shows xyz.com which is DNS   of outside IP of ASA.

Also when i run the command sh crypto ca cert

it shows issued by CA and also CN matches to DNS name of ASA outside IP.

Any next steps?

 

Regards

MAhesh

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎06-20-2014 06:16 AM

Mahesh,

You might try removing and replacing the certificate. For whatever reason, the solf-signed is showing as associated in the live configuration even though the cli shows otherwise.

If that fails, I'd open a TAC case.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎06-20-2014 07:04 PM

 

 

Hi Marvin,

 

Issue is solved.Cert was not linked to ASA physical interface.

Ran the below command

ssl trust-point my.digicert.trustpoint outside

after adding above config i do not see any invalid cert warning messages at all.

Do you why we need to link cert at two different places one is anyconnect and other is outside interface?

Thanks for guiding me step by step to fix the issue.

Regards

MAhesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents