Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem configuring OCSP for anyconnect clients.

hi forum,

I have done all the configuration for cisco anyconnect using certificates and revocation check using CRL. I am successful on this. now the problem is I want to configure OCSP for revocation. I am stuck here i am not able to successfully check the revocation however configuration is just 3 lines.

crypto ca trustpoint ABC_SUBCA_TRUSTPOINT

revocation-check ocsp

enrollment terminal

ocsp disable-nonce

ocsp url http://ocsp.abc.local/ocsp

================ when client tries to login using any connect i recieve following debug messages ===================

CRYPTO_PKI: Sorted chain size is: 1

CRYPTO_PKI: Found ID cert. serial number: 123456789, subject name: c=ab,o=bc,ou=Finance,cn=TEST-USER2

CRYPTO_PKI: Verifying certificate with serial number: 4123456789, subject name: c=ab,o=bc,ou=Finance,cn=TEST-USER2, issuer_name: c=ab,o=localcompany, ou= localcompany Section,cn=sub-ca, signature alg: SHA1/RSA.

CRYPTO_PKI(Cert Lookup) issuer="c=ab,o=localcompany,ou=localcompany Section,cn=sub-ca" serial number=123456789                            |  C.]*R.7.

CRYPTO_PKI: Verify cert is polling for revocation status.

CRYPTO_PKI: Starting OCSP revocation

CRYPTO_PKI: no responder matching this URL; create one!

CRYPTO_PKI: http connection opened%ASA-3-717032: OCSP status check failed. Reason: OCSP Responder cert validation failed.

%ASA-3-717032: OCSP status check failed. Reason: Failed to verify OCSP response.

%ASA-3-717027: Certificate chain failed validation. Revocation status check polling failed for certificate, serial number: 123456789, subject name: c=ab,o=bc,ou=Finance,cn=TEST-USER2.

CRYPTO_PKI: OCSP response received successfully.

CRYPTO_PKI: OCSP found in-band certificate: serial number: 12345678988E3, subject name: c=ab,o=localcompany,ou=localcompany security,cn=OCSP Signer, issuer_name: c=ab,o=localcompany, ou= localcompany Section,cn=sub-ca

CRYPTO_PKI: OCSP found in-band certificate: serial number: 1234567890B6D, subject name: c=abc,o=localcompany,ou=localcompany Section,cn=sub-ca, issuer_name: c=abc,o=localcompany,ou=localcompany Section,cn= Root CA

CRYPTO_PKI: OCSP found in-band certificate: serial number: 123456789FE02, subject name: c=abc,o=localcompany,ou=localcompany Section,cn=Root CA, issuer_name: c=abc,o=localcompany,ou=localcompany Section,cn=Root CA

CRYPTO_PKI: OCSP responderID byKeyHash

CRYPTO_PKI: OCSP response contains 1 cert singleResponses responseData sequence.

Found response for request certificate!

CRYPTO_PKI: Verifying OCSP response with 3 certs in the responder chain

CRYPTO_PKI: Validating OCSP response using trusted CA cert: serial number: 123456789DBC24, subject name: c=abc,o=localcompany,ou=localcompany Section,cn=SUB-CA, issuer_name: c=abc,o=localcompany,ou=localcompany Section,cn=Root CA

CRYPTO_PKI: Searching for ResponderID cert by keyhash

CRYPTO_PKI: Validating OCSP responder certificate: serial number: 12345678988E3, subject name: c=abc,o=localcompany,ou=localcompany security,cn=OCSP Signer, issuer_name: c=abc,o=localcompany,ou=localcompany Section,cn=SUB-CA , signature alg: SHA1/RSA

CRYPTO_PKI: verifyResponseSig:3111

CRYPTO_PKI: OCSP Responder cert validation failed -1

CRYPTO_PKI: Failed to verify response - invalid status being returned -1

CRYPTO_PKI: failed to verify OCSP response - -1

CRYPTO_PKI: transaction GetOCSP completed

CRYPTO_PKI: Process next cert in chain entered with status: 7.

CRYPTO_PKI: Process next cert, Invalid or CRL get failed.status: 7

CRYPTO_PKI: Calling callback with chain validation status: 7.

2 REPLIES
Cisco Employee

Re: Problem configuring OCSP for anyconnect clients.

Hello John,

It looks like ASA is trying to check CRL for your OCSP responder certificate.

Are you sure you have the correct extension in your OCSP responder certificate:

OCSP no revocation checking

That extension will tell ASA not to check revocation list for your OSCP responder certificate

(without that we are trying to eat our own tail).

That extension is attached automatically if you have used template "OCSP Response Signing" (when generating cert on Microsoft OSCP responder)

Also please make sure that OCSP responder cert is trusted by ASA (signed by the CA which is installed on ASA)

Example can be found in this article:

http://www.cisco.com/en/US/products/ps12726/products_configuration_example09186a0080c1ea59.shtml

New Member

Hi john.ebrahim83,

Hi 

2143
Views
0
Helpful
2
Replies