Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Anyconnect Cert Warning error when changes to xml file are made.

 

Hi Everyone,

 

We have valid cert from CA and it is successfully installed on the ASA associated to ASA outside interface.

While using anyconnect ipsec IKeV2 with any connect pre deployment when i make change to anyconnect profile on ASA and user

connects first time he gets warning message  below

 

Security Warning Untrusted VPN Server Certificate

 

Options are

Connect Anyway             Cancel Connection

 

I click on connect anyway and anyconnect is connected.

Verified  that CN is set to FQDN.

We are not using SSL certificate.

when i connect second time above cert warning error does not comes.

This cert warning error comes only when changes are made to anyconnect profile and user connects again to ASA.

We are not using cert based authen.

 

Any ideas how can i fix this issue?

 

Regards

MAhesh

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

You can remove and reinstall

You can remove and reinstall the CA certificate. It will require you first remove any configured services dependent on it, binding to the interface etc.

I'm not convinced that would fix what you're seeing though and it wouldn't be my first choice.

I'd first check things like why does the client not trust the certificate (checking for instance by simply browsing to the ASA interface and seeing what your browser reports as the issue  (Firefox and Chrome are both pretty useful in telling you of any issue with the certificate if you expand the details), what's the profile content and changes, etc.

Can you open a TAC case?

Hall of Fame Super Silver

Mahesh,Your certificate

Mahesh,

Your certificate (referenced in your links above) is the self-signed one created by the ASA and not the 3rd party CA-issued one. So you are getting both messages as the certificate information reports it is only valid for the device's IP address, not the FQDN ( = Common Name in X.509 lexicon) and it is self-signed by your device. Using Chrome browser (or Firefox) will allow you to see this information more readily than IE.

That would cause the problems you are reporting.

14 REPLIES
Hall of Fame Super Silver

HI Mahesh,I'm speculating a

HI Mahesh,

I'm speculating a bit but as you know from earlier conversation the ASA client-services function is normally used to push out any profile updates during session establishment BEFORE IPsec is negotiated. That normally happens via SSL (and seamless SSL is based on the client trusting the ASA certificate).

Since you have chosen to not use that service, the ASA cannot update the profile until after IPsec has been established. Once the updated profile has been deployed, subsequent connections do not detect the change and try (unsuccessfully) to use the inactive client services feature.

I think maybe the developers did not anticipate people using IPsec IKEv2 without enabling SSL and client services. (Just my guess)

New Member

 Hi Marvin, SSL port 443 is

 

Hi Marvin,

 

SSL port 443 is already enabled for client services.

Should i do wireshark packet capture?

if yes what should i look for?

Regards

Mahesh

 

Hall of Fame Super Silver

Mahesh,How do you have client

Mahesh,

How do you have client services enabled on port 443 and set a CN = FQDN if you're not using an SSL certificate?

New Member

 Hi Marvin,We ordered general

 

Hi Marvin,

We ordered general certificate say for server  not SSL cert.

If you remember i asked you in earlier post while ordering cert.

You told that we can order any general purpose server cert.

Regards

MAhesh

 

Regard

Hall of Fame Super Silver

An X.509 certificate is used

An X.509 certificate is used to identify a server and the private/public keypair are used to encrypt/decrypt communications for services that are written to use the certificate.The transport mechanism for that secure communications is SSL. See http://en.wikipedia.org/wiki/Secure_Sockets_Layer

Different CA vendors package their offerings in ways that are part marketing / part technical. That doesn't change the underlying technology.

It's hard to say exactly what's happening with your certificate without examining it firsthand. If it's bound to your outside interface, the ASA trusts the issuing authority (potentially having loaded the intermediate certificate chain and trusted any intermediate CA) and is from a CA that your client trusts then you should never see an untrusted VPN server certificate warning.

New Member

 Hi Marvin,Cert is bounded to

 

Hi Marvin,

Cert is bounded to ASA outside interface.

Issue only occurs when changes are made to xml profile on

ASA and users connect first time after that.

Afterwards there is no cert warning

Is there any way i can reinstall the CA  cert?

Regards

MAhesh

Hall of Fame Super Silver

You can remove and reinstall

You can remove and reinstall the CA certificate. It will require you first remove any configured services dependent on it, binding to the interface etc.

I'm not convinced that would fix what you're seeing though and it wouldn't be my first choice.

I'd first check things like why does the client not trust the certificate (checking for instance by simply browsing to the ASA interface and seeing what your browser reports as the issue  (Firefox and Chrome are both pretty useful in telling you of any issue with the certificate if you expand the details), what's the profile content and changes, etc.

Can you open a TAC case?

New Member

 Hi Marvin, When i use IE to

 

Hi Marvin,

 

When i use IE to open  ASA outside interface i get

Shield icon

There is a problem with this website's security certificate.

 

 
 
 

 

The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website was issued for a different website's address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
 

We recommend that you close this webpage and do not continue to this website.

 

Recommended iconClick here to close this webpage.

 

Not recommended iconContinue to this website (not recommended).

Yes i can open TAC case

 

 

Regards

MAhesh

 

More information

More information

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Hall of Fame Super Silver

Mahesh,Your certificate

Mahesh,

Your certificate (referenced in your links above) is the self-signed one created by the ASA and not the 3rd party CA-issued one. So you are getting both messages as the certificate information reports it is only valid for the device's IP address, not the FQDN ( = Common Name in X.509 lexicon) and it is self-signed by your device. Using Chrome browser (or Firefox) will allow you to see this information more readily than IE.

That would cause the problems you are reporting.

New Member

 Hi Marvin, I tested with

 

Hi Marvin,

 

I tested with firefox and here is error

 

The certificate is not trusted because it is self-signed. The certificate is only valid for x.x.x.x (IP of outside interface of ASA).

Even though ASA has no self signed cert.

Any idea how can i fix this?

Regards

Mahesh

Hall of Fame Super Silver

Yes, I saw that same error

Yes, I saw that same error Mahesh.

You may have added an externally issued certificate but your ASA is most definitely using its self-signed certificate.

Look in ASDM under Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and then click the Device Certificate button on the right. Make sure you have chosen the CA-issued certificate there.

New Member

 Hi MArvin, I checked that

 

Hi MArvin,

 

I checked that already many times and again checked and cert is issued by CA.

Also CN shows xyz.com which is DNS   of outside IP of ASA.

Also when i run the command sh crypto ca cert

it shows issued by CA and also CN matches to DNS name of ASA outside IP.

Any next steps?

 

Regards

MAhesh

Hall of Fame Super Silver

Mahesh,You might try removing

Mahesh,

You might try removing and replacing the certificate. For whatever reason, the solf-signed is showing as associated in the live configuration even though the cli shows otherwise.

If that fails, I'd open a TAC case.

New Member

  Hi Marvin, Issue is solved

 

 

Hi Marvin,

 

Issue is solved.Cert was not linked to ASA physical interface.

Ran the below command

ssl trust-point my.digicert.trustpoint outside

after adding above config i do not see any invalid cert warning messages at all.

Do you why we need to link cert at two different places one is anyconnect and other is outside interface?

Thanks for guiding me step by step to fix the issue.

Regards

MAhesh

254
Views
0
Helpful
14
Replies
CreatePlease login to create content