Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3747
Views
0
Helpful
3
Replies

Anyconnect fails at firs attempt (certificate authentication)

Piotr Strozek
Level 1
Level 1

‎01-26-2012 05:44 AM - edited ‎02-21-2020 05:50 PM

Hi,

I'm trying to set up vpn with ASA 8.2(5) and Anyconnect 3.0.4235. The goal is  to force user to connect from registered machines only (winXP & win7 x32 and  x64). To do this, I used machine certificates issued by own CA. Certificate  is installed in machine store. I use double authentication (aaa & certificates). Everything works fine, AnyConnect browses cert store, ASA  validating machine certificate, then user is prompted for username/password  and finally if all is correct - connection is established.

My problem is, that for new installation (new host), AnyConnect fails at first connection attempt. If I use aaa authentication only, connection is established, but if I use aaa & certificates - connection fails. The  appropriate .xml profile is predeployed at client host asa well as machine and root certificates.

Important: When first try (aaa auth) succeded, others are always OK (with aaa. certificate or aaa & certificate authentication). Only the first one fails.

The goal is to succesfuly establish connection with aaa & cert.

With DART i get:

******************************************

Type        : Error

Source      : acvpnagent

Description : Function: CTransportWinHttp::WinHttpCallback

File: .\CTransportWinHttp.cpp

Line: 2150

Invoked Function: WinHttpCallback

Return Code: 12170 (0x00002F8A)

Description: The supplied certificate has been revoked

******************************************

Certificate is valid for sure, and as I mentioned before, if first use aaa only, the second try is OK. At ASA with debug crypto ca 255 can't see any certificate from client.

Any suggestions?

Regards,

Peter

Labels:
0 Helpful
3 Replies 3

Piotr Strozek
Level 1
Level 1

‎02-03-2012 03:14 AM

Same with AC 3.0.5080... anyone?

0 Helpful

chrisgray1
Level 1
Level 1

‎02-03-2012 03:30 AM

Just wondering if the times are all correct on the ASA and CA server / clients?

I can see the message your getting is

The supplied certificate has been revoked

which may be due to the time being out of sync, pki digital certificates have a defined valid lifetime and if you get the times out of sync the certificate is not valid, this can happen on network devices more commonly without ntp.

0 Helpful

Piotr Strozek
Level 1
Level 1
In response to chrisgray1

‎02-03-2012 11:29 AM

Hi Christopher,

Clocks are sync at all devices, we have ntp enabled, and as I mentioned before, certificate is valid for sure. Anyway that log is from DART, at ASA I had:

Client Cert Auth Failed! Embedded CA Server not enabled. Logging out the user.

Generally my problem looks similar like in this thread: https://supportforums.cisco.com/thread/344632 but strange is that only the first attempt fails , any following are ok, regardless which method do I use (certs or aaa&certs).

regards,

peter

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents