Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Changing ID certs on ASA with AnyConnect session impact?

Hello everyone - I probably should know this answer, however I'm not 100%.

 

If I change the ID cert (trust point) of the external interface to use a "newer" certificate while there are AnyConnect clients connected, will the sessions be terminated?

 

I believe the answer is Yes, since the keys will change.

 

Any and all help is appreciated!

 

Thanks!

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi,It will not disconnect

Hi,

It will not disconnect users because the main purpose of using cert in first place other than identity is to securely distribute symmetric session key. Once done, the cert work is done.

I did a quick test at my end. 

 

I connected a client to the ASA using certs. Here are the outputs:

ASA-32-25# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5 rc4-sha1
ssl trust-point SSL outside   <-- This is the certificate applied on outside interface.
ssl certificate-authentication fca-timeout 2

 

Now, I connected my client and it successfully got connected:

ASA-32-25(config)# show vpn-ses any

Session Type: AnyConnect

Username     : anyconnect                  Index        : 50
Assigned IP  : 192.168.10.2           Public IP    : x.x.x.x
Protocol     : AnyConnect-Parent SSL-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)3DES
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA1
Bytes Tx     : 11488                  Bytes Rx     : 1351
Group Policy : GroupPolicy_Test    Tunnel Group : Test
Login Time   : 12:24:15 EDT Thu Apr 17 2014
Duration     : 0h:00m:04s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

 

I then, removed the certificate from outside interface.

ASA-32-25(config)# no ssl trust-point SSL outside

 

And when, I checked the status of connected client, I saw that it was still connected:

 

ASA-32-25(config)# show vpn-ses any

Session Type: AnyConnect

Username     : anyconnect                 Index        : 50
Assigned IP  : 192.168.10.2           Public IP    : x.x.x.x
Protocol     : AnyConnect-Parent SSL-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)3DES
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA1
Bytes Tx     : 11488                  Bytes Rx     : 1351
Group Policy : GroupPolicy_Test    Tunnel Group : Test
Login Time   : 12:24:15 EDT Thu Apr 17 2014
Duration     : 0h:00m:12s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

 

So the conclusion is, that the users will not get disconnected if you change the certificate on the outside interface.

 

Hope this answers your question.

 

Vishnu

2 REPLIES
Cisco Employee

Hi,It will not disconnect

Hi,

It will not disconnect users because the main purpose of using cert in first place other than identity is to securely distribute symmetric session key. Once done, the cert work is done.

I did a quick test at my end. 

 

I connected a client to the ASA using certs. Here are the outputs:

ASA-32-25# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5 rc4-sha1
ssl trust-point SSL outside   <-- This is the certificate applied on outside interface.
ssl certificate-authentication fca-timeout 2

 

Now, I connected my client and it successfully got connected:

ASA-32-25(config)# show vpn-ses any

Session Type: AnyConnect

Username     : anyconnect                  Index        : 50
Assigned IP  : 192.168.10.2           Public IP    : x.x.x.x
Protocol     : AnyConnect-Parent SSL-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)3DES
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA1
Bytes Tx     : 11488                  Bytes Rx     : 1351
Group Policy : GroupPolicy_Test    Tunnel Group : Test
Login Time   : 12:24:15 EDT Thu Apr 17 2014
Duration     : 0h:00m:04s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

 

I then, removed the certificate from outside interface.

ASA-32-25(config)# no ssl trust-point SSL outside

 

And when, I checked the status of connected client, I saw that it was still connected:

 

ASA-32-25(config)# show vpn-ses any

Session Type: AnyConnect

Username     : anyconnect                 Index        : 50
Assigned IP  : 192.168.10.2           Public IP    : x.x.x.x
Protocol     : AnyConnect-Parent SSL-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)3DES
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA1
Bytes Tx     : 11488                  Bytes Rx     : 1351
Group Policy : GroupPolicy_Test    Tunnel Group : Test
Login Time   : 12:24:15 EDT Thu Apr 17 2014
Duration     : 0h:00m:12s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

 

So the conclusion is, that the users will not get disconnected if you change the certificate on the outside interface.

 

Hope this answers your question.

 

Vishnu

New Member

Thanks Vishnu!  I'll give it

Thanks Vishnu!  I'll give it a go and let you know!

325
Views
5
Helpful
2
Replies
CreatePlease login to create content