Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 SSL VPN using Certificate authentication

Tried configuring SSL VPN using Certificate authentication using a Microsoft CA server. Truspoint created and mapped to SSL VPN. While connecting the SSL VPN getting certificate validation failure.Please find the error screen shot attached

4 REPLIES
Cisco Employee

Re: ASA 5510 SSL VPN using Certificate authentication

Get the syslogs + output of "debug crypto ca 10" at the time of a failing authentication attempt, that should give the reason for the failure.

If you need help interpreting the debug output then please post it here along with "show cry ca cert" and a copy of the client cert (just the cert, not the private key).

hth

Herbert

New Member

Re: ASA 5510 SSL VPN using Certificate authentication

HiThanks for your reply

I have attached the syslog and show crypto ca cert.There was no debug output for debug crypto ca 10

My question is what certifcate is required for the client to get connected to SSL VPN, you can check the certificate attached.

New Member

Re: ASA 5510 SSL VPN using Certificate authentication

Hello,

I am experiencing the same issue. We have more than 1000 users on Cisco AnyConnect VPN using aaa and certificate for authentication. I get certificate validation failure even after I download a new user certificate in the client machine. I would love to know the solution for this issue.

Thanks,

Cisco Employee

Re: ASA 5510 SSL VPN using Certificate authentication

@ kamalakannan1k : I'm very sorry, it looks like I never saw your update to this thread (maybe something went wrong with the notification email...). FWIW, it looks like your problem was that you did not import the CA certificate on the ASA.

@allen.malanda : your problem may or may not be the same, I would suggest to check the same command to start with, i.e. "show cry ca cert" should show you both a "Certificate" (the ASA's "server" certificate) as well as the CA certificate (i.e. the certificate of the CA that issued the client certificates).

hth
Herbert

1758
Views
0
Helpful
4
Replies