certificate validation failure что делать
Certificate validation failure что делать
Cisco Adaptive Security Appliance Software Version 9.1(4)
Device Manager Version 7.1(5)100
Compiled on Thu 05-Dec-13 19:37 by builders
System image file is «disk0:/asa914-k8.bin»
Config file at boot was «startup-config»
CSSIasa up 23 hours 59 mins
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2_05
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.09
Number of accelerators: 1
0: Int: Internal-Data0/0 : address is e8b7.4862.4c44, irq 11
1: Ext: Ethernet0/0 : address is e8b7.4862.4c3c, irq 255
2: Ext: Ethernet0/1 : address is e8b7.4862.4c3d, irq 255
3: Ext: Ethernet0/2 : address is e8b7.4862.4c3e, irq 255
4: Ext: Ethernet0/3 : address is e8b7.4862.4c3f, irq 255
5: Ext: Ethernet0/4 : address is e8b7.4862.4c40, irq 255
6: Ext: Ethernet0/5 : address is e8b7.4862.4c41, irq 255
7: Ext: Ethernet0/6 : address is e8b7.4862.4c42, irq 255
8: Ext: Ethernet0/7 : address is e8b7.4862.4c43, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : 25 perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 24 perpetual
Total UC Proxy Sessions : 24 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5505 Security Plus license.
Configuration register is 0x1
Configuration last modified by michail at 13:16:22.378 AQTST Thu Mar 13 2014
>[оверквотинг удален]
> perpetual
> Intercompany Media Engine :
> Disabled perpetual
> Cluster
>
> : Disabled
> perpetual
> This platform has an ASA 5505 Security Plus license.
> Configuration register is 0x1
> Configuration last modified by michail at 13:16:22.378 AQTST Thu Mar 13 2014
show ssl
show run | i aaa
show run | i http
> show ssl
> show run | i aaa
> show run | i http
# sh ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: aes256-sha1 aes128-sha1 3des-sha1
Disabled ciphers: des-sha1 rc4-md5 rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 null
-sha1
SSL trust-points:
inside interface: ASDM_TrustPoint1
outside interface: ASDM_TrustPoint1
Certificate authentication is not enabled
# show run | i aaa
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
706555fe 2181c948 39e7029f ce1aaafd a02f86fe b7080ce4 4d52bec2 f9708918
show run | i http
service tcp source range 1 65535 destination eq https
service-object tcp destination eq https
port-object eq https
access-list inside3_access_in extended permit tcp any4 any4 eq https
access-list inside_access_in extended permit tcp any4 any4 eq https
access-list inside2_access_in extended permit tcp any4 any4 eq https
http server enable
http inside 255.255.255.0 inside
http 192.168.0.0 255.255.0.0 inside
inspect http
inspect http
inspect http
inspect http
policy-map type inspect http HTTP
inspect http
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination transport-method http
>[оверквотинг удален]
> http 192.168.0.0 255.255.0.0 inside
> policy-map type inspect http HTTP
> destination transport-method http
Попробуйте ввести в консоли:
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
после этого перезайти в гуй
если все останется как и было нерабочим, еще попробуйте аутентификацию явно описать в ааа
aaa authentication http console LOCAL
> Попробуйте ввести в консоли:
> ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
> после этого перезайти в гуй
> если все останется как и было нерабочим, еще попробуйте аутентификацию явно описать
> в ааа
> aaa authentication http console LOCAL
Попробовал. Не помогло.
!
ASA Version 9.1(4)
!
hostname Casa
enable password aqjzvvoiREj/BYK4 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.12.0 inside
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.12.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.58.104.162 255.255.255.252
!
boot system disk0:/asa914-k8.bin
ftp mode passive
clock timezone AQTST 4
clock summer-time AQTDT recurring last Sun Mar 0:00 last Sun Oct 0:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 83.149.22.14
name-server 8.8.8.8
name-server 83.149.16.129
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.12.248_29 NETWORK_OBJ_192.168.12.248_29 no-proxy-arp route-lookup
access-group inside_access_in in interface inside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 10.58.104.161 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
http inside 255.255.255.0 inside
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=Casa
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate 4e0e9351
308201cb 30820134 a0030201 0202044e 0e935130 0d06092a 864886f7 0d010105
0500302a 3110300e 06035504 03130743 53534961 73613116 30140609 2a864886
f70d0109 02160743 53534961 7361301e 170d3133 30353135 30353337 35365a17
0d323330 35313330 35333735 365a302a 3110300e 06035504 03130743 53534961
73613116 30140609 2a864886 f70d0109 02160743 53534961 73613081 9f300d06
092a8648 86f70d01 01010500 03818d00 30818902 818100eb c356d490 b98de2b6
64079531 4a5aeb04 65aa4398 9fe21a04 f3f0f171 56618230 a3730a54 1e0f9dc9
e1dece35 9f920887 5253ff08 1d20474f b6180162 516d9fa7 09115d83 fdeb5c3a
500f69c5 9654f724 c097d735 16365aa4 de1fc705 6ba9f4e7 f926f2bc 18a52aa3
e711228b 7f44b8e9 7ea9f494 2f368a73 9f07f1af 6467ab02 03010001 300d0609
2a864886 f70d0101 05050003 81810027 70ebc69f 95f3455a 39fbbc94 773638d4
c8c9342c ea46c62e c27844d7 3a5c17b6 65df25e6 4d46aba8 7b72d5f6 9a181453
edffd2b7 a5ec77ff 701711f7 b52cab04 a683204e 9b1f6b7d 3abaddcb 12659ed3
b296c73a 36205918 2b837c64 f9522e96 da556d53 cb1aee33 6d9527b1 92205f59
387dc6c1 74766bb6 821b33c4 454fef
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable inside client-services port 443
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
telnet inside 255.255.255.0 inside
telnet timeout 5
ssh inside 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 5
management-access inside
dhcpd address 192.168.12.5-192.168.12.22 inside
dhcpd dns 83.149.22.14 8.8.8.8 interface inside
dhcpd lease 1048575 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter ambiguous-is-black
ssl trust-point ASDM_TrustPoint1 inside
ssl trust-point ASDM_TrustPoint1 outside
>[оверквотинг удален]
> dhcpd dns 83.149.22.14 8.8.8.8 interface inside
> dhcpd lease 1048575 interface inside
> dhcpd enable inside
> threat-detection basic-threat
> threat-detection statistics access-list
> threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate
> 200
> dynamic-filter ambiguous-is-black
> ssl trust-point ASDM_TrustPoint1 inside
> ssl trust-point ASDM_TrustPoint1 outside
А если занулить и снова сгенерировать rsa?
> А если занулить и снова сгенерировать rsa?
# debug http 255
INFO: ‘logging debug-trace’ is enabled. All debug messages are currently being r
edirected to syslog:711001 and will not appear in any monitor session
debug http enabled at level 255.
# debug asdm history 255
INFO: ‘logging debug-trace’ is enabled. All debug messages are currently being r
edirected to syslog:711001 and will not appear in any monitor session
debug asdm history enabled at level 255
# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption 3des-sha1 des-sha1 rc4-md5 aes128-sha1 aes256-sha1
ssl trust-point ASDM_TrustPoint1 inside
ssl trust-point ASDM_TrustPoint1 outside
ssl certificate-authentication fca-timeout 2
>[оверквотинг удален]
> INFO: ‘logging debug-trace’ is enabled. All debug messages are currently being r
> edirected to syslog:711001 and will not appear in any monitor session
> debug asdm history enabled at level 255
> # sh run all ssl
> ssl server-version any
> ssl client-version any
> ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
> ssl trust-point ASDM_TrustPoint1 inside
> ssl trust-point ASDM_TrustPoint1 outside
> ssl certificate-authentication fca-timeout 2
интересно что покажет этот дебаг при попытке зайти на гуй асы. и выключите debug-trace:
no logging debug-trace
logging console info (или logging console debug) >> если в консоли
logging monitor info (или logging monitor debug) >> если по телнету
deb http 225
и попробуйте снова зайти в asdm
> интересно что покажет этот дебаг при попытке зайти на гуй асы.
Самому интересно. Но теперь уже до понедельника. Спасибо за участие!
>> интересно что покажет этот дебаг при попытке зайти на гуй асы.
> Самому интересно. Но теперь уже до понедельника. Спасибо за участие!
> интересно что покажет этот дебаг при попытке зайти на гуй асы. и
> выключите debug-trace:
> no logging debug-trace
> logging console info (или logging console debug) >> если в консоли
> logging monitor info (или logging monitor debug) >> если по телнету
> deb http 225
> и попробуйте снова зайти в asdm
Сегодня попал на работу таки.
проделал
# deb http 225
debug http enabled at level 225
>[оверквотинг удален]
>> no logging debug-trace
>> logging console info (или logging console debug) >> если в консоли
>> logging monitor info (или logging monitor debug) >> если по телнету
>> deb http 225
>> и попробуйте снова зайти в asdm
> Сегодня попал на работу таки.
> проделал
> # deb http 225
> debug http enabled at level 225
> Ничего не изменилось
Certificate validation failure что делать
Recently updated a ASA 5505. Now running into ASDM certificate validation failure. Also browser returns 401 unauthorized.
After some troubleshooting I determined that » no http authentication-certificate inside» would allow ASDM to function correctly.
Have another ASA self signed cert on outside which is functioning fine for anyconnect SSL/IPsec VPN.
ASA843 and ASDM-674 did not experience this behavior.
I’m not understanding the command » no http authentication-certificate inside» or ASDM certificate authentication itself.
Will ASA self signed cert not work if this command enabled?
Appreciate any help. Thank you.
Java 1.7.0_45 with ASDM certificated added
Certificate also added to win7 trusted root
boot system disk0:/asa916-k8.bin
asdm image disk0:/asdm-731-101.bin
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable *****
http server idle-timeout 60
http ***** 255.255.255.255 inside
http ******* 255.255.255.0 inside
crypto ca trustpoint ANYCONNECT
enrollment self
subject-name CN=Here
keypair ANYCONNECT
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=(*ASA INSIDE IP*)
keypair ASDM
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca server
shutdown
crypto ca certificate map DefaultCertificateMap 10
crypto ca certificate chain ANYCONNECT
certificate ******
******
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate ******
******
quit
ssl encryption aes256-sha1 aes128-sha1
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ANYCONNECT outside
Certificate validation failure что делать
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Answered by:
Question
Is this issue related to AD. or what is the possible cause for this?
Answers
I would start by digging further into the Group Policy Object that is supposed to be pushing the certificates out. Does everything look like it’s configure properly?(https://blogs.technet.microsoft.com/yungchou/2013/10/21/enterprise-pki-with-windows-server-2012-r2-active-directory-certificate-services-part-1-of-2/)
If it’s just a small set of machines aren’t getting the certificates, is there anything in common with those machines or users? Are they in the same Active Directory OU? Are they getting other group policies? Try to figure out what makes these particular users/machines different.
All replies
Is the certificate added to the Trust Store?
The following link will be helpful:
Further, kindly check if the certificate is not expired.
Certificate is not expired, i believe its gets pushed to the clients automitically from server.
How should i proceed further
Kindly post your query here:
According to your description, I think you may meet with this condition.
If so, I find out a similar case, maybe can give you some prompt.
Also, I suggest to contact Cisco support for help, I browse their community, many users faced same error message like you, they may give you more suitable suggestions.
Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
I got more info on this
PKI CA server is configured with the default ADCS templates & integrated with AD, further then the certificates are pushed off to the users based on the templates by AD.
Now if the certificates are not pushed to the user, what should i check?
I would start by digging further into the Group Policy Object that is supposed to be pushing the certificates out. Does everything look like it’s configure properly?(https://blogs.technet.microsoft.com/yungchou/2013/10/21/enterprise-pki-with-windows-server-2012-r2-active-directory-certificate-services-part-1-of-2/)
If it’s just a small set of machines aren’t getting the certificates, is there anything in common with those machines or users? Are they in the same Active Directory OU? Are they getting other group policies? Try to figure out what makes these particular users/machines different.
This helped me a lot to understand the concept.
as of now we have only couple of machine in different OU facing the issue.
will investigate further and update you.
If it’s just a couple of machines, it’s possible that something is wrong with those machines themselves, and perhaps not your Certificate Services or Group Policy. If you look in the Event Viewer on the problem machines, see if they are processing *any* group policies at all. And see if any other errors are popping up in the Event Viewer.
Machines that have had malware in the past may exhibit strange behavior. So make sure to run a virus scan on any problem machines and make sure they are clean. Sometimes, you just have to rebuild a machine, because who knows what it’s been through in the past that is making it abnormal today.
Came across the same issue a few days back and found what was actually causing this error.
The reason validation fails is because the ASA certificate has only All issuance policies, but no Application polices and marking the above two as critical in the client’s certificate will change it to a type that is not considered valid by the ASA certificate.
Certificate validation failure что делать
I have an anyconnect account set up using version 3.0.5080 and connecting to an ASA 5510 base 8.2(2)17. We are using certificates for authentication. If I try and use the account on a windows machine it all works fine.
However on a mac running Lion if I try and connect via a web browser or already have the anyconnect client loaded and try to connect I always get “certificate Validation Failure”. I double checked the certificate was correct and am sure that is correct as it is the same certificate on the Windows and the mac. After searching online I have also tried editing the anyconnect profile to so it is set “certificate store override”, and put the certificates and key in the “user/.cisco/certificates” and “/opt/.cisco/certificates” folders.
After further testing, if I change the anyconnect connection profile to “authentication aaa” I can connect fine. Then if I disconnect, change it back to “authentication certificate” I can connect fine the first time, but all the following subsequent efforts I make fail. If I repeat this process this happens each time, I can connect the first time but after that it fails with the same “certificate Validation Failure” error message. When it connects this first time I checked and confirmed that it is definitely using the certificate. I have also tried using both authentication methods (“authentication aaa certificate”) and had the same problem.
This leads me to believe that my configuration is correct and it is some bug in the anyconnect client or the ASA image. I have had a look through bugs and read somewhere that there was a bug on earlier versions of 8.4, but nothing about 8.2. Does anyone have any recommendations of anything else I can try to fix the problem.