01-26-2012 05:44 AM - edited 02-21-2020 05:50 PM
Hi,
I'm trying to set up vpn with ASA 8.2(5) and Anyconnect 3.0.4235. The goal is to force user to connect from registered machines only (winXP & win7 x32 and x64). To do this, I used machine certificates issued by own CA. Certificate is installed in machine store. I use double authentication (aaa & certificates). Everything works fine, AnyConnect browses cert store, ASA validating machine certificate, then user is prompted for username/password and finally if all is correct - connection is established.
My problem is, that for new installation (new host), AnyConnect fails at first connection attempt. If I use aaa authentication only, connection is established, but if I use aaa & certificates - connection fails. The appropriate .xml profile is predeployed at client host asa well as machine and root certificates.
Important: When first try (aaa auth) succeded, others are always OK (with aaa. certificate or aaa & certificate authentication). Only the first one fails.
The goal is to succesfuly establish connection with aaa & cert.
With DART i get:
******************************************
Type : Error
Source : acvpnagent
Description : Function: CTransportWinHttp::WinHttpCallback
File: .\CTransportWinHttp.cpp
Line: 2150
Invoked Function: WinHttpCallback
Return Code: 12170 (0x00002F8A)
Description: The supplied certificate has been revoked
******************************************
Certificate is valid for sure, and as I mentioned before, if first use aaa only, the second try is OK. At ASA with debug crypto ca 255 can't see any certificate from client.
Any suggestions?
Regards,
Peter
02-03-2012 03:14 AM
Same with AC 3.0.5080... anyone?
02-03-2012 03:30 AM
Just wondering if the times are all correct on the ASA and CA server / clients?
I can see the message your getting is
The supplied certificate has been revoked
which may be due to the time being out of sync, pki digital certificates have a defined valid lifetime and if you get the times out of sync the certificate is not valid, this can happen on network devices more commonly without ntp.
02-03-2012 11:29 AM
Hi Christopher,
Clocks are sync at all devices, we have ntp enabled, and as I mentioned before, certificate is valid for sure. Anyway that log is from DART, at ASA I had:
Client Cert Auth Failed! Embedded CA Server not enabled. Logging out the user.
Generally my problem looks similar like in this thread: https://supportforums.cisco.com/thread/344632 but strange is that only the first attempt fails , any following are ok, regardless which method do I use (certs or aaa&certs).
regards,
peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: