Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17096
Views
0
Helpful
8
Replies

Anyconnect IPSEC-IKEv2 Authentication Failure

Go to solution
Michalis Michael
Level 1
Level 1

‎01-22-2012 03:30 AM - edited ‎02-21-2020 05:49 PM

I configure Anyconnect webvpn using IPsec (IKEv2) to an ASA with version 8.4(2). When I try to connect with Anyconnect Mobility Client, I got an error message for authentication failure (see attached screenshot). I cannot even get the prompt to put username/password. From the debugs I get the following errors:

%ASA-6-302015: Built inbound UDP connection 354 for outside:x.x.x.x/52171 (x.x.x.x/52171) to identity:172.16.4.2/500 (172.16.4.2/500)

%ASA-5-750002: Local:172.16.4.2:500 Remote:x.x.x.x:52171 Username:Unknown Received a IKE_INIT_SA request

%ASA-6-302015: Built inbound UDP connection 355 for outside:x.x.x.x/52172 (x.x.x.x/52172) to identity:172.16.4.2/4500 (172.16.4.2/4500)

%ASA-3-751006: Local:172.16.4.2:4500 Remote:x.x.x.x:52172 Username:Unknown Certificate authentication failed.  Error: Failed to retrieve the certificate chain

%ASA-4-750003: Local:172.16.4.2:4500 Remote:x.x.x.x:52172 Username:Unknown Negotiation aborted due to ERROR: Auth exchange failed

%ASA-6-302013: Built inbound TCP connection 356 for outside:x.x.x.x/52175 (x.x.x.x/52175) to identity:172.16.4.2/443 (172.16.4.2/443)

%ASA-6-725001: Starting SSL handshake with client outside:x.x.x.x/52175 for TLSv1 session.

%ASA-7-725010: Device supports the following 4 cipher(s).

%ASA-7-725011: Cipher[1] : RC4-SHA

%ASA-7-725011: Cipher[2] : AES128-SHA

%ASA-7-725011: Cipher[3] : AES256-SHA

%ASA-7-725011: Cipher[4] : DES-CBC3-SHA

%ASA-7-725008: SSL client outside:x.x.x.x/52175 proposes the following 18 cipher(s).

%ASA-7-725011: Cipher[1] : DHE-RSA-AES256-SHA

%ASA-7-725011: Cipher[2] : DHE-DSS-AES256-SHA

%ASA-7-725011: Cipher[3] : AES256-SHA

%ASA-7-725011: Cipher[4] : EDH-RSA-DES-CBC3-SHA

%ASA-7-725011: Cipher[5] : EDH-DSS-DES-CBC3-SHA

%ASA-7-725011: Cipher[6] : DES-CBC3-SHA

%ASA-7-725011: Cipher[7] : DHE-RSA-AES128-SHA

%ASA-7-725011: Cipher[8] : DHE-DSS-AES128-SHA

%ASA-7-725011: Cipher[9] : AES128-SHA

%ASA-7-725011: Cipher[10] : RC4-SHA

%ASA-7-725011: Cipher[11] : RC4-MD5

%ASA-7-725011: Cipher[12] : EDH-RSA-DES-CBC-SHA

%ASA-7-725011: Cipher[13] : EDH-DSS-DES-CBC-SHA

%ASA-7-725011: Cipher[14] : DES-CBC-SHA

%ASA-7-725011: Cipher[15] : EXP-EDH-RSA-DES-CBC-SHA

%ASA-7-725011: Cipher[16] : EXP-EDH-DSS-DES-CBC-SHA

%ASA-7-725011: Cipher[17] : EXP-DES-CBC-SHA

%ASA-7-725011: Cipher[18] : EXP-RC4-MD5

%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client outside:x.x.x.x/52175

%ASA-6-725002: Device completed SSL handshake with client outside:x.x.x.x/52175

%ASA-6-725007: SSL session with client outside:x.x.x.x/52175 terminated.

%ASA-6-302014: Teardown TCP connection 356 for outside:x.x.x.x/52175 to identity:172.16.4.2/443 duration 0:00:00 bytes 872 TCP FINs

Below is my configuration:

ip local pool VPNPOOL 172.17.1.1-172.17.1.40 mask 255.255.255.0

object network obj-vpnpool

subnet 172.17.1.0 255.255.255.0

nat (inside,outside)  source static any any destination static obj-vpnpool obj-vpnpool

access-list SPLITUN-ACL standard permit 192.168.0.0 255.255.255.0

access-list SPLITUN-ACL standard permit 10.1.1.0 255.255.255.0   

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2 1

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint _SmartCallHome_ServerCA

crypto ipsec ikev2 ipsec-proposal TS1-IKEV2

protocol esp encryption 3des aes des aes-192 aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map DYN-MAP 40 set ikev2 ipsec-proposal TS1-IKEV2

crypto map ASA1VPN 65535 ipsec-isakmp dynamic DYN-MAP

crypto map ASA1VPN interface outside

crypto isakmp nat-traversal

webvpn

anyconnect image disk0:/anyconnect-linux-3.0.5075-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-3.0.5075-k9.pkg 2

anyconnect image disk0:/anyconnect-win-3.0.5075-k9.pkg 5

anyconnect profiles Main_IKEv2_client_profile disk0:/Main_IKEv2_client_profile.xml

anyconnect enable

enable outside

tunnel-group-list enable

group-policy GroupPolicy_Main_IKEv2 internal

group-policy GroupPolicy_Main_IKEv2 attributes

vpn-tunnel-protocol ikev2

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLITUN-ACL

dns-server value 192.168.0.245

wins-server value 192.168.0.245

default-domain value jiffix.local

webvpn

  anyconnect profiles value Main_IKEv2_client_profile type user

  anyconnect keep-installer installed

tunnel-group RemoteAccessIKEv2 type remote-access

tunnel-group RemoteAccessIKEv2 general-attributes

default-group-policy GroupPolicy_Main_IKEv2

address-pool  VPNPOOL

tunnel-group RemoteAccessIKEv2 webvpn-attributes

group-alias Main_IKEv2 enable

username user password xxxxx

username user attributes

vpn-group-policy GroupPolicy_Main_IKEv2

management-access inside

ssh 172.17.1.0 255.255.255.0 inside

Main_IKEv2_client_profile.xml

<?xml version="1.0" encoding="UTF-8"?>

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">

  <ServerList>

    <HostEntry>

      <HostName>hostname-ASA (IPsec)</HostName>

      <HostAddress>y.y.y.y</HostAddress>

      <PrimaryProtocol>IPsec</PrimaryProtocol>

    </HostEntry>

  </ServerList>

</AnyConnectProfile>

Labels:
Preview file
21 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-22-2012 04:56 PM

Do you have the trustpoint with certificate "_SmartCallHome_ServerCA" configured? The partial configuration above doesn't indicte anything about that bit of the script which is where the authentication is failing in your log output above.

The output of "show crypto ca server certificates" output would be useful.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-22-2012 04:56 PM

Do you have the trustpoint with certificate "_SmartCallHome_ServerCA" configured? The partial configuration above doesn't indicte anything about that bit of the script which is where the authentication is failing in your log output above.

The output of "show crypto ca server certificates" output would be useful.

0 Helpful

Go to solution
Michalis Michael
Level 1
Level 1
In response to Marvin Rhoads

‎01-23-2012 01:18 AM

Thanks for the reply.

See below the output of show crypto ca server certificate.

JIFFix-ASA# show crypto ca server certificate

ERROR: Cannot find Local Certificate Server

See also the running configuration below:

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

    308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130

0 Helpful

Go to solution
Michalis Michael
Level 1
Level 1
In response to Marvin Rhoads

‎01-23-2012 05:12 PM

The problem was the trustpoint.

"_SmartCallHome_ServerCA" certificate was a VeriSign certificate used by ASA for call-home reporting feature.

I create a self signed certificate and now is working fine.

Thanks for your help

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Michalis Michael

‎01-23-2012 07:50 PM

You're welcome. Glad I was able to point you in the right direction.

I'm working with some new IKEv2 configs myself. The documentation (and ASDM wizard) hasn't quite caught up to the feature set yet.

0 Helpful

Go to solution
Douglas Holmes
Level 1
Level 1
In response to Marvin Rhoads

‎01-18-2013 10:00 AM

I have been working with Ikev2 and EC certs since October.  (Was given some early 9 code) and it still makes my brain hurt.  I have gotten it to work with StrongSwan, Aruba, and Juniper and other ASA devices.  I have an bad time debugging and end up most of the time guessing to get it to work.  Good answer though.  I wouldn't have caught that so easy. 

0 Helpful

Go to solution
pemasirid
Level 1
Level 1
In response to Marvin Rhoads

‎08-18-2014 01:09 PM

Hi Marvin,

I was facing similar issue. We use double authentication for AnyConnect IPSec VPN, however its not authenticating when we use with certificate. There is something wrong on the certificate installation on the firewall.

We install both Identity certificate and CA certificate using Miscrosoft CA server. My doubts are 

1. What exact certificates to be install on ASA

2. What exact certificate to be available on client PC.

3. How can we get the certificates (client/server) with EKU extension.

thanks in advance..

 

 

0 Helpful

Go to solution
djiguidjik
Level 1
Level 1
In response to pemasirid

‎10-11-2014 02:28 AM

Hi,

I am facing the same issue.

I generated a self-signed certificate and assigned it to the IKEv2 connections... But I still got the same problem...

What exactly did you do to make it work please ?

 

Thanks,

Mehdy

0 Helpful

Go to solution
Bel Marsad
Level 1
Level 1
In response to Marvin Rhoads

‎09-03-2013 08:40 AM

Hello,

I have the same issue (error message) while enabling ipsec ikev2, looking for certificate I have several ca certificate installed on my ASA but not a ca server certificate, what is the differences between ca certificates and ca server certificate, and how can I generate a ca server certificate and its without any trouble on my ASA ?

I use verisign certificate for Anyconnect https portal and our local ca certificate for Anyconnect authentication.

Thanks for your help on that

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents