Skip navigation
Cisco Learning Home > Certifications > Routing & Switching (CCNP) > Discussions

_Communities

3634 Views 3 Replies Latest reply: Dec 10, 2012 5:50 AM by heikis RSS

Currently Being Moderated

Anyconnect VPN- Client certificate validation failure, ASA.

Dec 7, 2012 12:46 AM

heikis 36 posts since
Oct 25, 2012

I have remote VPN set up on ASA 5505 9.0(1), device manager 7.0.(2).

Client authentication is set up on certificates only, smart card based.

The ASA has been installed both the root CA and intermediate CA certificates. Client cert, interme cert and root cert are all in chain.

However dialing the VPN a client gets an error on Anyconnect: Certificate Validation Failure.

 

ASDM validates the intermediate CA cert, but fails at validating the client cert:

PIC http://www.upload.ee/image/2886875/asdmlogfail.gif

Note that where the error occurs- on a successful authentication, instead of the error there would be a record about the Clients certificate's credentials (when not authenticating with a smart card).

 

Looking at the ASA debugging everything goes smooth until a weird error pops:

 

CRYPTO_PKI(make trustedCerts list)

CRYPTO_PKI: Found suitable tpCRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2

CRYPTO_PKI:check_key_usage:Key Usage check OK

 

CRYPTO_PKI: Certificate validation: Failed, status: 1823CRYPTO_PKI: PKI Verify Certificate Check Cert Revocation unknown error 1823

CRYPTO_PKI: PKI Verify Certificate error. No trust point found.

 

CRYPTO_PKI: Storage context released by thread CERT API

 

CRYPTO_PKI: Certificate not validated

 

CRYPTO_PKI: Invalid cert.

 

error 1823 doesnt take me anywhere on google. CRL checking is disabled, all certs are valid. If you need to see a full log then i can give it.

thanks!

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)