Cisco VPN :: AnyConnect 2.5.2019 - SSL Certificate Mismatch
Sep 6, 2011
When i'm trying to connect using stand-alone Anyconnect (not through the web), I got the SSL error message "The certificate you are viewing does not match the name of the site you are trying to view" (attached).
The certificate I installed for the SSL connection on outside interface got Subject CN=testvpn.mydomain and Subject Alternative Name (SAN) --> DNS Name = testvpn.mydomain
It seems to me that instead of connecting to testvpn.mydomain, anyconnect try to connect to the its IP address. I did try to remove the IP address in Server List in the profile, but it still doesn't work.
If I'm using Clientless (through browser), I don't received this error which means the certificates installed correctly.
Is that a bug on anyconnect 2.5.2019 or is there other ways to force anyconnect to check name instead of the IP against the certficate?
View 4 Replies
ADVERTISEMENT
Apr 16, 2013
I have noticed that the error "unable to process response from x.x.x.x" when using anyconnect is very common and that the actions to handle it are different. Right know I have the same issue. Let's name it "the message" =)
We are running:
ASA 8.2(2) . AnyConnect 2.5.1025
In my scenario, we used to be able to connect to the ASA using AnyConnect but suddenly it stops to work showing "the message" =) We did this procedure, but it did not worked for us
[URL]...
My first question would be:
How can I obtain more information so I can get a better idea to handle "the message"?
The next step I am about to do is upgrade the AnyConnect Cliente to 2.5.2019. According to the release notes, this versión is supported with ASA 8.2(22)
I also notice that the AnyConnect client can be install with a component named Cisco Diagnostic and Reporting Tool (DART). Does this tool could be usefull to troubleshoot "the message"? What kind of information does DART can give us? Were can I find the files it captures?
View 6 Replies
View Related
Jan 16, 2013
one of my client just installed window 8 and he is not able to connect with anyconnect anymore. if he connect with ASA for anyconnect version 2019 it work fine. but i have tried all different version on router. but when user try to connect with router for anyconnect then there is gateway error. it ask for connect anyway then it stop. connection failed. i tried 00605.. anyconnect on router but still no luck. i think, i have to make some changes. but dont know what changes on router. window 7 has no issue.
View 1 Replies
View Related
Dec 20, 2012
I am doing a proof of concept with anyconnect and certificate authentication. with 3.0 i was able to do this with a certificate from my CA and a client cert in a smartcard. I have upgraded to 3.1 and now it doesnt work anymore ( i need 3.1 and Asa 9.0 because of IPv6 Split-tunneling).Reading the forum i got some info that the ASA cert must have a EKU value of 'Server Authentication' and the client cert must have a similar EKU (client Auth)
View 4 Replies
View Related
Dec 2, 2011
Can anyconnect clients and cisco vpn ikev1-2 clients use the same certificate on an ASA 5510 ?
View 4 Replies
View Related
Apr 28, 2013
I have a strange issue with certificate based authentication anyconnect. We have an ASA with two internet links, both have a CA authenticated Cert for anyconnect VPN’s. We have an anyconnect client profile also, when we simulate a link failure on the ASA the anyconnect should automatically attempt a re-connect to the backup server list in its configuration (which is the other interface on the ASA 5580) which it does but we get a certificate trust error.
View 3 Replies
View Related
Mar 26, 2012
We currently are using the anyconnect client using certificates for authentication (ASA 5520 v8.4). It works pretty good but I can only get it to work on a profile basis on the clients laptops. We are running windows 7 and if multiple users need VPN i have to install the certificate for each user. I have changed the xml profile to read the certificate store to "all" and true for certificate store override. I am installing the certificate in the trusted root certificate store. Is there a way for the anyconnect to authenticate for all profiles (users) for the laptop?
View 0 Replies
View Related
Feb 7, 2013
I am having some problems with my AnyConnect configuration.I have configured AnyConnect (ssl vpn / webvpn) on my Cisco 1841 Router, and I can access it from a web browser and start the tunnel, then anyconnect starts up and then the problem come, because when AnyConnect is trying to connect it comes with an error saying "The certificate on the secure gateway is invalid".
I have read almost all of the threads in here about the problem also tried to make a new certificate, but nothing is working?
BTW: I am using self-signed certificate?
View 5 Replies
View Related
May 28, 2012
I am setting up Clientless Anyconnect on ASA 5520. I have a Verisign Cert but when I go to Certificate Management-->CA Certificates-->Add, I put everything in and click "install certificate" I get an error. FYI I have the Primary Cert Authority Installed already?
View 1 Replies
View Related
Oct 25, 2012
I just upgraded our AnyConnect package on our ASA5510 from 3.06xxx to 3.1. When I tried to log in to the website to automatically install the client, it showed me a big error saying the Certificate is untrusted and I have to explicitly accept it. After accepting it, I had to restart the installation.Is there a way to disable this strict certificate trust setting? We don't have a valid SSLVPN certificate yet, but this big error will confuse endusers.
View 8 Replies
View Related
Aug 19, 2012
we currently have a remote access asa setup using Anyconnect with self signed certificate, and several users in the certificate database as we are using radius and certificate for authentication.
I want to purchase and obtain a trusted CA signed certificate (such as Verisign) and replace the current self signed cert.
My question is will I have to reset the current CA server of the ASA and replace the certificate user database? ie start from scratch.
View 2 Replies
View Related
Jan 22, 2012
I want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see:aaa-server LDAP protocol ldap aaa-server LDAP (inside) host ldap.com ldap-base-dn DC=x,DC=x,DC=x,DC=com ldap-scope subtree ldap-login-password ***** ldap-login-dn ***** server-type microsoft ,I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = DomainMember I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.
View 2 Replies
View Related
Jan 25, 2012
I'm trying to set up vpn with ASA 8.2(5) and Anyconnect 3.0.4235. The goal is to force user to connect from registered machines only (winXP & win7 x32 and x64). To do this, I used machine certificates issued by own CA. Certificate is installed in machine store. I use double authentication (aaa & certificates). Everything works fine, AnyConnect browses cert store, ASA validating machine certificate, then user is prompted for username/password and finally if all is correct - connection is established.My problem is, that for new installation (new host), AnyConnect fails at first connection attempt. If I use aaa authentication only, connection is established, but if I use aaa & certificates - connection fails. The appropriate .xml profile is predeployed at client host asa well as machine and root certificates.Important: When first try (aaa auth) succeded, others are always OK (with aaa. certificate or aaa & certificate authentication). Only the first one fails.The goal is to succesfuly establish connection with aaa & cert.
With DART i get:
******************************************
Type : Error
Source : acvpnagent
Description : Function: CTransportWinHttp::WinHttpCallback
File: .CTransportWinHttp.cpp
Line: 2150
[code]....
Certificate is valid for sure, and as I mentioned before, if first use aaa only, the second try is OK. At ASA with debug crypto ca 255 can't see any certificate from client.
View 3 Replies
View Related
Apr 2, 2012
I have an anyconnect account set up using version 3.0.5080 and connecting to an ASA 5510 base 8.2(2)17. We are using certificates for authentication. If I try and use the account on a windows machine it all works fine.
However on a mac running Lion if I try and connect via a web browser or already have the anyconnect client loaded and try to connect I always get “certificate Validation Failure”. I double checked the certificate was correct and am sure that is correct as it is the same certificate on the Windows and the mac. After searching online I have also tried editing the anyconnect profile to so it is set “certificate store override”, and put the certificates and key in the “user/.cisco/certificates” and “/opt/.cisco/certificates” folders.
After further testing, if I change the anyconnect connection profile to “authentication aaa” I can connect fine. Then if I disconnect, change it back to “authentication certificate” I can connect fine the first time, but all the following subsequent efforts I make fail. If I repeat this process this happens each time, I can connect the first time but after that it fails with the same “certificate Validation Failure” error message. When it connects this first time I checked and confirmed that it is definitely using the certificate. I have also tried using both authentication methods (“authentication aaa certificate”) and had the same problem.
This leads me to believe that my configuration is correct and it is some bug in the anyconnect client or the ASA image. I have had a look through bugs and read somewhere that there was a bug on earlier versions of 8.4, but nothing about 8.2.
View 1 Replies
View Related
Jul 7, 2011
Any instructions to configure an ASA to allow authentication by certificate only on an AnyConnect vpn?I'm running an ASA 5505 with 8.4(1) and AnyConnect 2.4.7030 on an Android phone.I currently have the AnyConnect client connecting ok using username / password for authentication.
I have loaded the company root certificate (internally generated) into the ASA "CA Certificates" and generated an Identity Certificate for the ASA.
View 1 Replies
View Related
Jul 13, 2011
want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.
Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see: [code]I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = Domain Member I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.
View 3 Replies
View Related
Mar 21, 2013
I have an ASA (8.4.5) configured with a connection profile that does AAA and Certificate authentication. Once I have the anyconnect 3.1 on a win Xp system, it works perfectly. When I do a web install, it goes through the normal download, log-in, re-download then says "Certificate Authentication Failure" If I change the profile to AAA only, it installs fine. I even get the error if I launch from the web after I have the client on the PC. Why this is not working?
View 3 Replies
View Related
Sep 20, 2011
ASA 5510 configuration for Csco anyconnect vpn client. Currently ASA is configured for self-signed certificate acces thru anyconnect ssl vpn. So the cert is being generated with every connection (of my understanding, I haven't found any identity certificate on the current configuration, at least on ASDM). Now I need to use a certificate from our local windows CA that we have at the office. I.e. self-signed certs should be changed with another one issued by our local office authority.
1. Generated new rsa key pair on the ASA
2. Generated CSR from identity certificates
3. Applied CSR to the windows CA and generated the certificate
Now I need to understand what is going to happen after I install this certificate on the ASA's identity certificates and apply it to outside interface. Is there anything to be done on the users side to use new certificate? Do they need to download and install the root certificate from the same CA? Do i need to have the root certificate installed on the ASA or identity is enough?
View 1 Replies
View Related
Apr 17, 2013
I am having anyconnect version 3.1.03103, windows7 & 8 and asa 5520 (8.4). I have gone through alot of work to solve this issue but it not hapening. On clientless ssl vpn it prompts me for manual certificate selection but on anyconnect client it is not. profile configuration is mentioned below. In the highlighted line below i have changed UserControllable="true" still no results.
<?xml version="1.0" encoding="UTF-8"?>
-<AnyConnectProfile xsi:schemaLocation="[URL]" xmlns:xsi="[URL]" xmlns="[URL]">-<ClientInitialization>
[Code]....
View 0 Replies
View Related
Jan 30, 2012
There is ASA with remote access VPN and users are authenticated using third party signed certificates (CA is not local in ASA).When user certificate expires i can see it in syslog messages. For example:
%ASA-3-717009: Certificate validation failed. Certificate date is out-of-range, serial number: (...)
I would like to know if there is an opportunity to view user's certificate expiry date beforehand, say, 3 days before?
View 3 Replies
View Related
Oct 19, 2012
i am working on ISE 1.1.1, surprisingly i couldn't found certificate authority certifiate at certificate operation anymore.
would it be the change on GUI? So now where i can import the CA certificate to ISE?
View 5 Replies
View Related
Dec 14, 2012
I have a 2wire router and can currently only connect to the internet with an ethernet cable. I've screwed my settings up trying to install my new router(WHOLE 'nother post lol!) Anyway it's not taking my Security Key..that I think is the right one. If I enter a different one it doesn't say incorrect, but it says possible security key mismatch or something like that.
View 1 Replies
View Related
Dec 5, 2011
I'm receiving a lot of these messages in a ACE4710 cluster. 192.168.100.1:80 is the VIP, 193.126.127.28:56380 is the client. Already tried to set the mss with this:
parameter-map type connection my map set tcp mss min 0 max 1380
policy-map multi-match L4_policymap
class vip_PRDWEB_http
loadbalance vip inservice
[code].....
But it doesn't work.
View 4 Replies
View Related
Oct 24, 2011
I am trying to access the internet (Plusnet) using a laptop, via as wireless computer. All that appears on the laptop screen is "network security key mismatch. What is a security key?
View 1 Replies
View Related
Mar 7, 2011
I have an ASA- 5585X (v.8.2.4) directly connected to an upstream 6509, which is running EIGRP. I configured the ASA for EIGRP with same AS# and network numbers and no auto-summary. Here are the log messages I got:
Mar 8 15:11:08: %PIM-5-NBRCHG: neighbor 164.72.178.28 UP on interface Vlan150 (vrf default) Mar 8 15:11:08: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 164.72.178.28 on interface Vlan150 (vrf default)
Mar 8 15:11:11: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 164.72.178.28 (Vlan150) isup: new adjacencyMar 8 16:16:08: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 164.72.178.25 (Vlan150) isup: new adjacency
Mar 8 16:18:54: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 164.72.178.25 (Vlan150) is down: K-value mismatch
I lost my SSH connection to the upstream 6509 and couldn't get it back. Luckily I didn't lose my ASDM connection to the ASA, so I disabled EIGRP and went to look at the logs on the 6509.
What causes a K-value mismatch, and how to I rectify the situation?
View 1 Replies
View Related
Jun 2, 2012
Seen Duplex MisMatch errors on a N7k with a LAG going to the 5508 WLC? WLC code is 7.0.203.0. I found a BUG that is private to Cisco ( CSCth11041 ) that looks like it, but I want to make sure.
View 1 Replies
View Related
Sep 18, 2012
In LMS I have a 6513 with several sx 1000 interface setup for etherchannel to catalyst 3750
both sides are set for autoduplex but LMS reports that there is a link duplex mismatch. We just installed the latest patches for the LMS 4.0.1
View 1 Replies
View Related
Aug 18, 2011
I have a customer with two WLC 5508's running 7.0.116.0. When I look at the RF Grouping I see both controllers in the 802.11b/g/n section (802.11b>RRM>RF Grouping). However, when I check the 802.11a/n RF Grouping, I only see one controller.Both are in Group Mode = Auto.
I also made sure they had the same NDP settings, and they are both in Transparent mode.
Default 802.11a AP monitoring
802.11a Monitor Mode........................... enable
802.11a Monitor Mode for Mesh AP Backhaul...... disable
802.11a Monitor Channels....................... Country channels
802.11a RRM Neighbor Discover Type............. Transparent
802.11a AP Coverage Interval................... 180 seconds
[code]....
View 3 Replies
View Related
Feb 5, 2013
I still get the "security key mismatch error" for my school and home wifi. I know the passwords i'm using are correct.I also have the fake "Intel(R) Centrino(R) Wireless-N 6150" in my Device Manager. This does not have a driver nor can Device Manager find one.I recently noticed that there are 8 Virtual Wifi Miniport Adapters. What are these and why do they exist?
View 5 Replies
View Related
Oct 3, 2007
It is possible to detect situation when two neigbour routers involved in EIGRP routing are configured by mistake with different AS number ?I tried this situation practically. Two routers are connected together via Serial link network. One router has AS 1, other AS 10. I try to detect AS mismatch. First I check what EIGRP packet are comming debug ip packet detail show source <my neighbour IP address> destination 224.0.0.10 Ip protocol type 88. These packets are EIGRP Hello packet.
I try to go more deeply into details.debug eigrp packetsI see only ongoing EIGRP Hello packets. But I don't see any incoming packet from my neighbour (which has different AS number). It seems, because of different AS number router silently drop eigrp packet.Other debug eigrp command also doesn't show any info about AS difference.
Cisco IOS 12.4 (16)
View 9 Replies
View Related
Jun 4, 2012
We have some legacy Cisco 6513 switches with the backbone (16-port GBIC blade) MTU set to 1500. It has a WS-X6148A-GE-TX blade as well, MTU set to 9K.
Now we have a customer sending MTU of 1546, their copper interface terminating on WS-6148A keeps flapping. Does the flapping have something to do with the backbone set to 1500? We cant set the backbone to 9K at this moment since it may be intrusive (reuire a reboot).
View 1 Replies
View Related
May 16, 2013
[code] Can't find any wrong with the switch ports and AP's that can result in Duplex mismatch.The only difference I can find is the AP that is in all duplex missm. log's is used for other Mesh AP's to connect to.
View 8 Replies
View Related
May 14, 2012
I cannot seem to correct a duplex mismatch issue.I have a Cisco 2950 switch connected to a Cisco 2621 router. I am running a per-interface Vlan. I have two fastethernet ports and one NM-1E card installed on the router. One fastethernet port is connected to my gateway router, the second fastethernet port is connected to my switch for one Vlan. The NM-1E Ethernet card is being used for the second Vlan which consists of nine IP cameras. Though the cameras on the Vlan are working fine.Now, the NM-1E card is set to half-duplex. I know that I should be using a fastethernet module like a 1FE 2W or a 2FE 2W card, (which I have,) but the router does not recogonize either one of these cards when they are installed, and yes, they have been confirmed as good cards.
Using Router-on-a-Stick configuration is out due to the bandwidth contention besides the fact that the router I am using it on will not handle this due to the flash being an older version.I have forced the switchport to half duplex, setting the speed to 10. I was getting fewer error messages at first, but they soon increased back to the frequency that they began with.I have set the switchport to duplex auto, but this failed to resolve the issue.Obviously, I cannot force the switchport into duplex full since the NM-1E interface is set to half duplex. Can the NM-1E card be configured to full duplex? I can't seem to find any documentation showing where it can be forced to full duplex mode.Could nine IP cameras just be too much for both the router and switch to handle?
View 4 Replies
View Related
