Certificate Validation Failure after AnyConnect Update

joeblack · ‎06-07-2021

Hi,

i have used AnyConnect Client Version 4.9.05042 with asa local ca server on the asa 5520 V 9.1.7(32). It works fine till i update to version 4.10.01075 or 4.10.00093. After update the client reports Certificate Validation Failure and disconnects. Here the debug protocol

ASA# CERT_API: PKI session 0x07d89e47 open Successful with type SSL
CERT_API: Authenticate session 0x07d89e47, non-blocking cb=0x09135690
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x07d89e47
CERT_API: Async locked for session 0x07d89e47

CRYPTO_PKI: Sorted chain size is: 2
CRYPTO_PKI: Verifying certificate with serial number: 01, subject name: cn=asa.xyz.com, issuer_name: cn=asa.xyz.com, signature alg: SHA1/RSA.

CRYPTO_PKI: Checking to see if an identical cert is
already in the database...

CRYPTO_PKI(Cert Lookup) issuer="cn=asa.xyz.com" serial number=01 | .

CRYPTO_PKI: looking for cert in handle=0x742d1658, digest=
dc 11 71 73 29 69 5a f3 d8 78 e9 2d 01 cb 9b 28 | ..qs)iZ..x.-...(

CRYPTO_PKI: Found cert in database.

CRYPTO_PKI: Cerificate is resident.

CRYPTO_PKI: Verify chain of certs, Getting public key from signersCert.

CRYPTO_PKI: Sorted chain size is: 1
CRYPTO_PKI: Found ID cert. serial number: 03, subject name: cn=user1
CRYPTO_PKI: Verifying certificate with serial number: 03, subject name: cn=user1, issuer_name: cn=asa.xyz.com, signature alg: SHA1/RSA.

CRYPTO_PKI: Checking to see if an identical cert is
already in the database...

CRYPTO_PKI(Cert Lookup) issuer="cn=asa.xyz.com" serial number=03 | .

CRYPTO_PKI: looking for cert in handle=0x742d1658, digest=
d1 fc 01 a0 9e 25 73 e2 f6 c5 8a 6c a1 b8 bb 39 | .....%s....l...9

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints for connection type SSL

CRYPTO_PKI: Found suitable tp: LOCAL-CA-SERVER
CRYPTO_PKI: Storage context locked by thread CERT API

CRYPTO_PKI: Re-acquiring public key
CRYPTO_PKI: Found a suitable authenticated trustpoint LOCAL-CA-SERVER.

CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage extension not found.
CRYPTO_PKI:check_key_usage:Key Usage check OK

CRYPTO_PKI: Certificate validation: Successful, status: 0
CRYPTO_PKI: bypassing revocation checking based on policy configuration
CRYPTO_PKI:Certificate validated. serial number: 03, subject name: cn=user1.

CRYPTO_PKI: Storage context released by thread CERT API

CRYPTO_PKI: Certificate validated without revocation check

CRYPTO_PKI: valid cert with warning.

CRYPTO_PKI: valid cert status.
CERT_API: calling user callback=0x09135690 with status=0
CERT_API: Close session 0x07d89e47 asynchronously
CERT_API: Async unlocked for session 0x07d89e47
CERT_API: process msg cmd=1, session=0x07d89e47
CERT_API: Async locked for session 0x07d89e47
CERT_API: Async unlocked for session 0x07d89e47
CERT API thread sleeps!

can somebody help with this issue?

best regards

damian

Milos_Jovanovic · ‎06-11-2021

Hi,

Based on ASA debugs, it looks like ASA validated certificate successfully.

CRYPTO_PKI: Certificate validation: Successful, status: 0
CRYPTO_PKI: bypassing revocation checking based on policy configuration
CRYPTO_PKI:Certificate validated. serial number: 03, subject name: cn=user1.

CRYPTO_PKI: Certificate validated without revocation check

Have you checked client side logs?

I'm not aware of any behavior change between v4.9 and 4.10 in terms of certificate usage.

BR,

Milos

joeblack · ‎06-11-2021

Hi Milos,

thanks for replying. Here history messege from client.

21:29:33 Contacting xyz.
21:29:38 No valid certificates available for authentication.
21:29:42 User credentials prompt cancelled.
21:29:42 Ready to connect.

i dont have any ideas

BR,

joeblack

joeblack · ‎06-11-2021

here the log information from client

Function: COpenSSLCertificate::VerifyExtKeyUsage File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\commoncrypt\certificates\opensslcertificate.cpp Line: 1887 Invoked Function: COpenSSLCertUtils::VerifyExtKeyUsage Return Code: -31391721 (0xFE210017) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_NOT_FOUND:No Extended Key Usages were found in the certificate

Function: CVerifyExtKeyUsage::compareEKUs File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\commoncrypt\certificates\verifyextkeyusage.cpp Line: 330 EKU not found in certificate: 1.3.6.1.5.5.7.3.2

Function: CVerifyExtKeyUsage::Verify File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\commoncrypt\certificates\verifyextkeyusage.cpp Line: 100 Extended key usage verification failed

Function: COpenSSLCertUtils::VerifyExtKeyUsage File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\commoncrypt\certificates\opensslcertutils.cpp Line: 1262 Invoked Function: CVerifyExtKeyUsage::Verify Return Code: -31391722 (0xFE210016) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages

Function: CAutoProxy::GetAutoProxyStrings File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\common\proxy\autoproxy.cpp Line: 140 Invoked Function: WinHttpGetProxyForUrl Return Code: 12180 (0x00002F94) Description: WINDOWS_ERROR_CODE SG URL xyz:443

Function: CCapiCertUtils::BuildCertChain File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\commoncrypt\certificates\capicertutils.cpp Line: 284 Certificate can not be used for EKU purpose: Serverauthentifizierung

Function: CTransportCurlStatic::SendRequest File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\api\ctransportcurlstatic.cpp Line: 2139 CURL error: 35 = error:0D07209B:asn1 encoding routines:ASN1_get_object:too long

Function: CTransportCurlStatic::SendRequest File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\api\ctransportcurlstatic.cpp Line: 2277 Invoked Function: curl_easy_perform Return Code: -29949908 (0xFE37002C) Description: CTRANSPORT_ERROR_SSL_HANDSHAKE 35 : SSL connect error

Function: ConnectIfc::sendRequest File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\api\connectifc.cpp Line: 3303 Invoked Function: CTransport::SendRequest Return Code: -29949908 (0xFE37002C) Description: CTRANSPORT_ERROR_SSL_HANDSHAKE

Function: ConnectIfc::connect File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\api\connectifc.cpp Line: 486 Invoked Function: ConnectIfc::sendRequest Return Code: -29949908 (0xFE37002C) Description: CTRANSPORT_ERROR_SSL_HANDSHAKE

Function: ConnectIfc::TranslateStatusCode File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\api\connectifc.cpp Line: 3118 Invoked Function: ConnectIfc::TranslateStatusCode Return Code: -29949908 (0xFE37002C) Description: CTRANSPORT_ERROR_SSL_HANDSHAKE Connection attempt has failed due to server communication errors. Please retry the connection.

Function: ConnectMgr::doConnectIfcConnect File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\api\connectmgr.cpp Line: 2470 Invoked Function: ConnectIfc::connect Return Code: -29949908 (0xFE37002C) Description: CTRANSPORT_ERROR_SSL_HANDSHAKE

BR,

joeblack

Milos_Jovanovic · ‎06-14-2021

Hi joeblack,

Based on the output it looks that your PC is not offering appropriate certificate to ASA. Based on this line:

21:29:38 No valid certificates available for authentication.

and also on this one:

Function: CVerifyExtKeyUsage::compareEKUs File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\commoncrypt\certificates\verifyextkeyusage.cpp Line: 330 EKU not found in certificate: 1.3.6.1.5.5.7.3.2

I would expect that your PC/User certificate is not appropriate one. Certificate used for VPN authentication should contain Extended Key Usage (EKU) - clientAuth (1.3.6.1.5.5.7.3.2). Please validate your machine/user certificate that you want to use for cert-based authentication.

BR,

Milos

joeblack · ‎06-14-2021

Hi Milos,

from Win 10 20H2 PC it does not work but from Iphone X with AnyConnect 4.10.01084 it works fine.

What is Windows AnyConnect doing wrong? Certificate is valid and works but not on MS Windows 10.

Maybe is my ASA Local CA Config wrong?

BR,

joeblack

Milos_Jovanovic · ‎06-25-2021

Are you using same tunnel-group for both iPhone and Windows PC connections? If you are, then your ASA CA should be fine, as it is global configuration.

You are using same certificate on both iPhone and Windows PC? Or certificate is different? If cert is same, have you looked at AnyConnect XML profile and its matching criteria?

Based on logs provided so far, I do see some inconsistency, so they might not be all related to same use case (e.g. in one log cert authentication is successful while in another it stated that cert was not even sent).

If you were unable to resolve this so far, I would advise to open a TAC case.

BR,

Milos

blackmanl · ‎01-11-2022

I am having the same issue as I try to upgrade my anyconnect client. I am also having issues with the uninstall proces, SBL module is also failing to upgrade. Seems like this upgrade is having problems all around.

As soon as I downgradge back to version 9 (after a bunch of crap to get 4.10 uninstalled) I am able to connect again with the Anyconnect Client with Certificate authentication.

DMel · ‎02-02-2022

By any chance are you using a 3rd party cert/token provider app? We ran across an issue between Anyconnect v4.9.0086 and v4.9.03049 where our 'safenet' client stopped properly reading or offering the certificate to Anyconnect. We were using a fairly old version of 'safenet' and once we finally worked it out with Cisco TAC that was the issue.