06-07-2021 03:22 PM
Hi,
i have used AnyConnect Client Version 4.9.05042 with asa local ca server on the asa 5520 V 9.1.7(32). It works fine till i update to version 4.10.01075 or 4.10.00093. After update the client reports Certificate Validation Failure and disconnects. Here the debug protocol
ASA# CERT_API: PKI session 0x07d89e47 open Successful with type SSL
CERT_API: Authenticate session 0x07d89e47, non-blocking cb=0x09135690
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x07d89e47
CERT_API: Async locked for session 0x07d89e47
CRYPTO_PKI: Sorted chain size is: 2
CRYPTO_PKI: Verifying certificate with serial number: 01, subject name: cn=asa.xyz.com, issuer_name: cn=asa.xyz.com, signature alg: SHA1/RSA.
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI(Cert Lookup) issuer="cn=asa.xyz.com" serial number=01 | .
CRYPTO_PKI: looking for cert in handle=0x742d1658, digest=
dc 11 71 73 29 69 5a f3 d8 78 e9 2d 01 cb 9b 28 | ..qs)iZ..x.-...(
CRYPTO_PKI: Found cert in database.
CRYPTO_PKI: Cerificate is resident.
CRYPTO_PKI: Verify chain of certs, Getting public key from signersCert.
CRYPTO_PKI: Sorted chain size is: 1
CRYPTO_PKI: Found ID cert. serial number: 03, subject name: cn=user1
CRYPTO_PKI: Verifying certificate with serial number: 03, subject name: cn=user1, issuer_name: cn=asa.xyz.com, signature alg: SHA1/RSA.
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI(Cert Lookup) issuer="cn=asa.xyz.com" serial number=03 | .
CRYPTO_PKI: looking for cert in handle=0x742d1658, digest=
d1 fc 01 a0 9e 25 73 e2 f6 c5 8a 6c a1 b8 bb 39 | .....%s....l...9
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints for connection type SSL
CRYPTO_PKI: Found suitable tp: LOCAL-CA-SERVER
CRYPTO_PKI: Storage context locked by thread CERT API
CRYPTO_PKI: Re-acquiring public key
CRYPTO_PKI: Found a suitable authenticated trustpoint LOCAL-CA-SERVER.
CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage extension not found.
CRYPTO_PKI:check_key_usage:Key Usage check OK
CRYPTO_PKI: Certificate validation: Successful, status: 0
CRYPTO_PKI: bypassing revocation checking based on policy configuration
CRYPTO_PKI:Certificate validated. serial number: 03, subject name: cn=user1.
CRYPTO_PKI: Storage context released by thread CERT API
CRYPTO_PKI: Certificate validated without revocation check
CRYPTO_PKI: valid cert with warning.
CRYPTO_PKI: valid cert status.
CERT_API: calling user callback=0x09135690 with status=0
CERT_API: Close session 0x07d89e47 asynchronously
CERT_API: Async unlocked for session 0x07d89e47
CERT_API: process msg cmd=1, session=0x07d89e47
CERT_API: Async locked for session 0x07d89e47
CERT_API: Async unlocked for session 0x07d89e47
CERT API thread sleeps!
can somebody help with this issue?
best regards
damian
06-11-2021 12:18 AM
Hi,
Based on ASA debugs, it looks like ASA validated certificate successfully.
CRYPTO_PKI: Certificate validation: Successful, status: 0
CRYPTO_PKI: bypassing revocation checking based on policy configuration
CRYPTO_PKI:Certificate validated. serial number: 03, subject name: cn=user1.
CRYPTO_PKI: Certificate validated without revocation check
Have you checked client side logs?
I'm not aware of any behavior change between v4.9 and 4.10 in terms of certificate usage.
BR,
Milos
06-11-2021 12:40 PM
Hi Milos,
thanks for replying. Here history messege from client.
21:29:33 Contacting xyz.
21:29:38 No valid certificates available for authentication.
21:29:42 User credentials prompt cancelled.
21:29:42 Ready to connect.
i dont have any ideas
BR,
joeblack
06-11-2021 03:01 PM
here the log information from client
Function: COpenSSLCertificate::VerifyExtKeyUsage File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\commoncrypt\certificates\opensslcertificate.cpp Line: 1887 Invoked Function: COpenSSLCertUtils::VerifyExtKeyUsage Return Code: -31391721 (0xFE210017) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_NOT_FOUND:No Extended Key Usages were found in the certificate
Function: COpenSSLCertificate::VerifyExtKeyUsage File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\commoncrypt\certificates\opensslcertificate.cpp Line: 1887 Invoked Function: COpenSSLCertUtils::VerifyExtKeyUsage Return Code: -31391721 (0xFE210017) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_NOT_FOUND:No Extended Key Usages were found in the certificate
Function: CVerifyExtKeyUsage::compareEKUs File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\commoncrypt\certificates\verifyextkeyusage.cpp Line: 330 EKU not found in certificate: 1.3.6.1.5.5.7.3.2
Function: CVerifyExtKeyUsage::Verify File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\commoncrypt\certificates\verifyextkeyusage.cpp Line: 100 Extended key usage verification failed
Function: COpenSSLCertUtils::VerifyExtKeyUsage File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\commoncrypt\certificates\opensslcertutils.cpp Line: 1262 Invoked Function: CVerifyExtKeyUsage::Verify Return Code: -31391722 (0xFE210016) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages
Function: CAutoProxy::GetAutoProxyStrings File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\common\proxy\autoproxy.cpp Line: 140 Invoked Function: WinHttpGetProxyForUrl Return Code: 12180 (0x00002F94) Description: WINDOWS_ERROR_CODE SG URL xyz:443
Function: CCapiCertUtils::BuildCertChain File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\commoncrypt\certificates\capicertutils.cpp Line: 284 Certificate can not be used for EKU purpose: Serverauthentifizierung
Function: CTransportCurlStatic::SendRequest File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\api\ctransportcurlstatic.cpp Line: 2139 CURL error: 35 = error:0D07209B:asn1 encoding routines:ASN1_get_object:too long
Function: CTransportCurlStatic::SendRequest File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\api\ctransportcurlstatic.cpp Line: 2277 Invoked Function: curl_easy_perform Return Code: -29949908 (0xFE37002C) Description: CTRANSPORT_ERROR_SSL_HANDSHAKE 35 : SSL connect error
Function: ConnectIfc::sendRequest File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\api\connectifc.cpp Line: 3303 Invoked Function: CTransport::SendRequest Return Code: -29949908 (0xFE37002C) Description: CTRANSPORT_ERROR_SSL_HANDSHAKE
Function: ConnectIfc::connect File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\api\connectifc.cpp Line: 486 Invoked Function: ConnectIfc::sendRequest Return Code: -29949908 (0xFE37002C) Description: CTRANSPORT_ERROR_SSL_HANDSHAKE
Function: ConnectIfc::TranslateStatusCode File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\api\connectifc.cpp Line: 3118 Invoked Function: ConnectIfc::TranslateStatusCode Return Code: -29949908 (0xFE37002C) Description: CTRANSPORT_ERROR_SSL_HANDSHAKE Connection attempt has failed due to server communication errors. Please retry the connection.
Function: ConnectMgr::doConnectIfcConnect File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\api\connectmgr.cpp Line: 2470 Invoked Function: ConnectIfc::connect Return Code: -29949908 (0xFE37002C) Description: CTRANSPORT_ERROR_SSL_HANDSHAKE
BR,
joeblack
06-14-2021 03:07 AM
Hi joeblack,
Based on the output it looks that your PC is not offering appropriate certificate to ASA. Based on this line:
21:29:38 No valid certificates available for authentication.
and also on this one:
Function: CVerifyExtKeyUsage::compareEKUs File: c:\temp\build\thehoff\phoenix_mr10.367623024249\phoenix_mr1\vpn\commoncrypt\certificates\verifyextkeyusage.cpp Line: 330 EKU not found in certificate: 1.3.6.1.5.5.7.3.2
I would expect that your PC/User certificate is not appropriate one. Certificate used for VPN authentication should contain Extended Key Usage (EKU) - clientAuth (1.3.6.1.5.5.7.3.2). Please validate your machine/user certificate that you want to use for cert-based authentication.
BR,
Milos
06-14-2021 03:06 PM
Hi Milos,
from Win 10 20H2 PC it does not work but from Iphone X with AnyConnect 4.10.01084 it works fine.
What is Windows AnyConnect doing wrong? Certificate is valid and works but not on MS Windows 10.
Maybe is my ASA Local CA Config wrong?
BR,
joeblack
06-25-2021 03:05 AM
Are you using same tunnel-group for both iPhone and Windows PC connections? If you are, then your ASA CA should be fine, as it is global configuration.
You are using same certificate on both iPhone and Windows PC? Or certificate is different? If cert is same, have you looked at AnyConnect XML profile and its matching criteria?
Based on logs provided so far, I do see some inconsistency, so they might not be all related to same use case (e.g. in one log cert authentication is successful while in another it stated that cert was not even sent).
If you were unable to resolve this so far, I would advise to open a TAC case.
BR,
Milos
01-11-2022 09:28 AM
I am having the same issue as I try to upgrade my anyconnect client. I am also having issues with the uninstall proces, SBL module is also failing to upgrade. Seems like this upgrade is having problems all around.
As soon as I downgradge back to version 9 (after a bunch of crap to get 4.10 uninstalled) I am able to connect again with the Anyconnect Client with Certificate authentication.
02-02-2022 11:52 AM
By any chance are you using a 3rd party cert/token provider app? We ran across an issue between Anyconnect v4.9.0086 and v4.9.03049 where our 'safenet' client stopped properly reading or offering the certificate to Anyconnect. We were using a fairly old version of 'safenet' and once we finally worked it out with Cisco TAC that was the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide