Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5177
Views
0
Helpful
2
Replies

Problem configuring OCSP for anyconnect clients.

john.ebrahim83
Level 1
Level 1

‎11-24-2013 01:43 AM - edited ‎02-21-2020 07:20 PM

hi forum,

I have done all the configuration for cisco anyconnect using certificates and revocation check using CRL. I am successful on this. now the problem is I want to configure OCSP for revocation. I am stuck here i am not able to successfully check the revocation however configuration is just 3 lines.

crypto ca trustpoint ABC_SUBCA_TRUSTPOINT

revocation-check ocsp

enrollment terminal

ocsp disable-nonce

ocsp url http://ocsp.abc.local/ocsp

================ when client tries to login using any connect i recieve following debug messages ===================

CRYPTO_PKI: Sorted chain size is: 1

CRYPTO_PKI: Found ID cert. serial number: 123456789, subject name: c=ab,o=bc,ou=Finance,cn=TEST-USER2

CRYPTO_PKI: Verifying certificate with serial number: 4123456789, subject name: c=ab,o=bc,ou=Finance,cn=TEST-USER2, issuer_name: c=ab,o=localcompany, ou= localcompany Section,cn=sub-ca, signature alg: SHA1/RSA.

CRYPTO_PKI(Cert Lookup) issuer="c=ab,o=localcompany,ou=localcompany Section,cn=sub-ca" serial number=123456789                            |  C.]*R.7.

CRYPTO_PKI: Verify cert is polling for revocation status.

CRYPTO_PKI: Starting OCSP revocation

CRYPTO_PKI: no responder matching this URL; create one!

CRYPTO_PKI: http connection opened%ASA-3-717032: OCSP status check failed. Reason: OCSP Responder cert validation failed.

%ASA-3-717032: OCSP status check failed. Reason: Failed to verify OCSP response.

%ASA-3-717027: Certificate chain failed validation. Revocation status check polling failed for certificate, serial number: 123456789, subject name: c=ab,o=bc,ou=Finance,cn=TEST-USER2.

CRYPTO_PKI: OCSP response received successfully.

CRYPTO_PKI: OCSP found in-band certificate: serial number: 12345678988E3, subject name: c=ab,o=localcompany,ou=localcompany security,cn=OCSP Signer, issuer_name: c=ab,o=localcompany, ou= localcompany Section,cn=sub-ca

CRYPTO_PKI: OCSP found in-band certificate: serial number: 1234567890B6D, subject name: c=abc,o=localcompany,ou=localcompany Section,cn=sub-ca, issuer_name: c=abc,o=localcompany,ou=localcompany Section,cn= Root CA

CRYPTO_PKI: OCSP found in-band certificate: serial number: 123456789FE02, subject name: c=abc,o=localcompany,ou=localcompany Section,cn=Root CA, issuer_name: c=abc,o=localcompany,ou=localcompany Section,cn=Root CA

CRYPTO_PKI: OCSP responderID byKeyHash

CRYPTO_PKI: OCSP response contains 1 cert singleResponses responseData sequence.

Found response for request certificate!

CRYPTO_PKI: Verifying OCSP response with 3 certs in the responder chain

CRYPTO_PKI: Validating OCSP response using trusted CA cert: serial number: 123456789DBC24, subject name: c=abc,o=localcompany,ou=localcompany Section,cn=SUB-CA, issuer_name: c=abc,o=localcompany,ou=localcompany Section,cn=Root CA

CRYPTO_PKI: Searching for ResponderID cert by keyhash

CRYPTO_PKI: Validating OCSP responder certificate: serial number: 12345678988E3, subject name: c=abc,o=localcompany,ou=localcompany security,cn=OCSP Signer, issuer_name: c=abc,o=localcompany,ou=localcompany Section,cn=SUB-CA , signature alg: SHA1/RSA

CRYPTO_PKI: verifyResponseSig:3111

CRYPTO_PKI: OCSP Responder cert validation failed -1

CRYPTO_PKI: Failed to verify response - invalid status being returned -1

CRYPTO_PKI: failed to verify OCSP response - -1

CRYPTO_PKI: transaction GetOCSP completed

CRYPTO_PKI: Process next cert in chain entered with status: 7.

CRYPTO_PKI: Process next cert, Invalid or CRL get failed.status: 7

CRYPTO_PKI: Calling callback with chain validation status: 7.

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Michal Garcarz
Cisco Employee
Cisco Employee

‎11-29-2013 12:47 AM

Hello John,

It looks like ASA is trying to check CRL for your OCSP responder certificate.

Are you sure you have the correct extension in your OCSP responder certificate:

OCSP no revocation checking

That extension will tell ASA not to check revocation list for your OSCP responder certificate

(without that we are trying to eat our own tail).

That extension is attached automatically if you have used template "OCSP Response Signing" (when generating cert on Microsoft OSCP responder)

Also please make sure that OCSP responder cert is trusted by ASA (signed by the CA which is installed on ASA)

Example can be found in this article:

http://www.cisco.com/en/US/products/ps12726/products_configuration_example09186a0080c1ea59.shtml

0 Helpful

jintao99
Level 1
Level 1

‎04-28-2016 06:56 AM

Hi 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents