I have remote VPN set up on ASA 5505 9.0(1), device manager 7.0.(2).
Client authentication is set up on certificates only, smart card based.
The ASA has been installed both the root CA and intermediate CA certificates. Client cert, interme cert and root cert are all in chain.
However dialing the VPN a client gets an error on Anyconnect: Certificate Validation Failure.
ASDM validates the intermediate CA cert, but fails at validating the client cert:
Note that where the error occurs- on a successful authentication, instead of the error there would be a record about the Clients certificate's credentials (when not authenticating with a smart card).
Looking at the ASA debugging everything goes smooth until a weird error pops:
CRYPTO_PKI(make trustedCerts list)
CRYPTO_PKI: Found suitable tpCRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 220.127.116.11.18.104.22.168.2
CRYPTO_PKI:check_key_usage:Key Usage check OK
CRYPTO_PKI: Certificate validation: Failed, status: 1823CRYPTO_PKI: PKI Verify Certificate Check Cert Revocation unknown error 1823
CRYPTO_PKI: PKI Verify Certificate error. No trust point found.
CRYPTO_PKI: Storage context released by thread CERT API
CRYPTO_PKI: Certificate not validated
CRYPTO_PKI: Invalid cert.
error 1823 doesnt take me anywhere on google. CRL checking is disabled, all certs are valid. If you need to see a full log then i can give it.
solved. use asa845 image instead
Did you get a BugID from TAC or did you downgrade and found it worked? Sounds like a bug to me unless feature support changed.
I downgraded since I was out of ideas.
And now everything is working as it should.
maybe the asa911-k8.bin dated 03-dec-2012 has it fixed- i really dont have an idea
at the moment im happy with asa845.