Announcement

Collapse
No announcement yet.

Can't connect sslvpn to ASA after adding ssl licenses

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can't connect sslvpn to ASA after adding ssl licenses

    I have an ASA 5510 version 8.2 and set up the Anyconnect SSLVPN which has been working fine. I just purchased and installed the key to open up 10 SSL licenses instead of the 2 that came with it. Now, when a person tries to connect with their Win7 PC they get an error that says:

    "Warning: The following Certificate received from the Server could not be verified:"

    After the message there nothing else in the window but an "Accept" and "Disconnect" button. If I click on Accept the same message keeps popping up.

    I can successfully connect with an XP client, this is only happening with Win7.

    I am no router expert and would really appreciate any help from anyone who has experienced this issue.

    Many thanks!

  • #2
    Re: Can't connect sslvpn to ASA after adding ssl licenses

    Are you connecting via clientless or client based? Did you generate a self signed certificate and associated trust point? Are you using a trusted certificate or are you using the ASA default certificate and trustpoint?

    If using clientless then what browsers are you using? Are the windows 7 machines 64-bit?


    Post a show version
    Last edited by auglan; 24th August 2012, 18:53.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Can't connect sslvpn to ASA after adding ssl licenses

      I am using an AnyConnect connection. I have never issued any type of certificate, just used the defaults for everything.

      This seems to be a Win7 issue. XP is working the way it always has. I can't even browse to the ASA using https:// on a Win7 PC like I can with XP. I used to be able to before I installed the license. Now I get a 'page can't be displayed' error. I added the site to the trusted sites and it still doesn't work.

      Comment


      • #4
        Re: Can't connect sslvpn to ASA after adding ssl licenses

        If you never setup a self signed certificate then its using the system generated certificate. When the ASA reboots it re-creates a temp certificate to use. This can cause issues as with each reboot a new certificate is generated. I would at least generate your own self-signed cert.


        Create your rsa key-pair


        (config)#crypto key generate rsa label SSLKEYS

        Configure your trustpoint

        (config)#crypto ca trustpoint SSLTRUST
        (config-ca-trustpoint)#enrollment self
        (config-ca-trustpoint)#fqdn sslvpn. mycompany.com
        (config-ca-trustpoint)#subject-name CN=sslvpn.mycompany.com
        (config-ca-trustpoint)#keypair SSLKEYS
        (config-ca-trustpoint)#crypto ca enroll SSLTRUST noconfirm

        Apply trustpoint to your interface


        (config)# ssl trust-point SSLTRUST outside

        When done I would also reboot the ASA
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Can't connect sslvpn to ASA after adding ssl licenses

          Ahhhh!! Totally makes sense because I had to reboot the ASA after I installed the license.

          Thanks so much! I will give this a try.

          Comment


          • #6
            Re: Can't connect sslvpn to ASA after adding ssl licenses

            Dont forget to save your config before rebooting.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: Can't connect sslvpn to ASA after adding ssl licenses

              lol. That's one thing I always remember to do!

              Thanks again.

              Comment


              • #8
                Re: Can't connect sslvpn to ASA after adding ssl licenses

                If this doesn't fix the issue then at least you rule the certificate out.
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: Can't connect sslvpn to ASA after adding ssl licenses

                  I did all the steps using ASDM and when I select the certificate under the SSL Settings and apply I get the error 'The 3DES/AES algorithms require a VPN-3DES-AES activation key.' Is this something to be concerned about?

                  I still tried to access with site with my Win7 computer and have the same error. Also I didn't restart the ASA. Won't be able to do that until tonight.

                  Your thoughts?

                  Comment


                  • #10
                    Re: Can't connect sslvpn to ASA after adding ssl licenses

                    Hmm sounds like you dont have a 3des-AES license on the ASA. You can get one for free from Cisco. Just have to apply for it and they send you the key via email.

                    You do need a cisco login (free) but you don't need a support contract. Just google "free 3des aes license cisco.
                    CCNA, CCNA-Security, CCNP
                    CCIE Security (In Progress)

                    Comment


                    • #11
                      Re: Can't connect sslvpn to ASA after adding ssl licenses

                      I checked the ASA and the license for 3DES-AES was disabled. I got the key and installed it and once aqain can connect to the VPN (with the certificate warnings). This is without any of the certification changes I tried (I didn't save them to the startup config and restarted the ASA over the weekend).

                      So now, if I set up the certification information again, I assume the certification warnings I get when connecting the VPN will go away?

                      I have another question. My ASA came with 250 vpn peers, and 2 ssl vpn peers. I had people that could not connect and when I checked there were already 2 people connected via ssl. So both anyconnect and clientless vpn use ssl? What type of connection uses the 250 vpn peers?

                      Comment


                      • #12
                        Re: Can't connect sslvpn to ASA after adding ssl licenses

                        The certificate warnings you where getting should go away. The users may still get a warning that the certificate could not be verified which is normal as its a self signed cert and not from a trusted CA. The 250 vpn peers is for ipsec vpn's. Yes the anyconnect client and/or the clientless use SSL.
                        CCNA, CCNA-Security, CCNP
                        CCIE Security (In Progress)

                        Comment


                        • #13
                          Re: Can't connect sslvpn to ASA after adding ssl licenses

                          Gotcha. Thanks for educating me on this. I appreciate your time and help with this.

                          Take care!

                          Comment

                          Working...
                          X