Can’t connect sslvpn to ASA after adding ssl licenses

Home Forums Networking Cisco Routers & Switches How-to Can’t connect sslvpn to ASA after adding ssl licenses

This topic contains 12 replies, has 3 voices, and was last updated by Avatar rcoxon 7 years, 3 months ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • Avatar
    pcsdps
    Member
    #159655

    I have an ASA 5510 version 8.2 and set up the Anyconnect SSLVPN which has been working fine. I just purchased and installed the key to open up 10 SSL licenses instead of the 2 that came with it. Now, when a person tries to connect with their Win7 PC they get an error that says:

    “Warning: The following Certificate received from the Server could not be verified:”

    After the message there nothing else in the window but an “Accept” and “Disconnect” button. If I click on Accept the same message keeps popping up.

    I can successfully connect with an XP client, this is only happening with Win7.

    I am no router expert and would really appreciate any help from anyone who has experienced this issue.

    Many thanks!

    Avatar
    Anonymous
    #373374

    Re: Can’t connect sslvpn to ASA after adding ssl licenses

    Are you connecting via clientless or client based? Did you generate a self signed certificate and associated trust point? Are you using a trusted certificate or are you using the ASA default certificate and trustpoint?

    If using clientless then what browsers are you using? Are the windows 7 machines 64-bit?

    Post a show version

    Avatar
    rcoxon
    Member
    #375175

    Re: Can’t connect sslvpn to ASA after adding ssl licenses

    I am using an AnyConnect connection. I have never issued any type of certificate, just used the defaults for everything.

    This seems to be a Win7 issue. XP is working the way it always has. I can’t even browse to the ASA using https:// on a Win7 PC like I can with XP. I used to be able to before I installed the license. Now I get a ‘page can’t be displayed’ error. I added the site to the trusted sites and it still doesn’t work.

    Avatar
    Anonymous
    #373375

    Re: Can’t connect sslvpn to ASA after adding ssl licenses

    If you never setup a self signed certificate then its using the system generated certificate. When the ASA reboots it re-creates a temp certificate to use. This can cause issues as with each reboot a new certificate is generated. I would at least generate your own self-signed cert.


    Create your rsa key-pair

    (config)#crypto key generate rsa label SSLKEYS

    Configure your trustpoint

    (config)#crypto ca trustpoint SSLTRUST
    (config-ca-trustpoint)#enrollment self
    (config-ca-trustpoint)#fqdn sslvpn. mycompany.com
    (config-ca-trustpoint)#subject-name CN=sslvpn.mycompany.com
    (config-ca-trustpoint)#keypair SSLKEYS
    (config-ca-trustpoint)#crypto ca enroll SSLTRUST noconfirm

    Apply trustpoint to your interface

    (config)# ssl trust-point SSLTRUST outside

    When done I would also reboot the ASA

    Avatar
    rcoxon
    Member
    #375176

    Re: Can’t connect sslvpn to ASA after adding ssl licenses

    Ahhhh!! Totally makes sense because I had to reboot the ASA after I installed the license.

    Thanks so much! I will give this a try.

    Avatar
    Anonymous
    #373376

    Re: Can’t connect sslvpn to ASA after adding ssl licenses

    Dont forget to save your config before rebooting.

    Avatar
    rcoxon
    Member
    #375177

    Re: Can’t connect sslvpn to ASA after adding ssl licenses

    lol. That’s one thing I always remember to do!

    Thanks again.

    Avatar
    Anonymous
    #373377

    Re: Can’t connect sslvpn to ASA after adding ssl licenses

    If this doesn’t fix the issue then at least you rule the certificate out.

    Avatar
    rcoxon
    Member
    #375178

    Re: Can’t connect sslvpn to ASA after adding ssl licenses

    I did all the steps using ASDM and when I select the certificate under the SSL Settings and apply I get the error ‘The 3DES/AES algorithms require a VPN-3DES-AES activation key.’ Is this something to be concerned about?

    I still tried to access with site with my Win7 computer and have the same error. Also I didn’t restart the ASA. Won’t be able to do that until tonight.

    Your thoughts?

    Avatar
    Anonymous
    #373378

    Re: Can’t connect sslvpn to ASA after adding ssl licenses

    Hmm sounds like you dont have a 3des-AES license on the ASA. You can get one for free from Cisco. Just have to apply for it and they send you the key via email.

    You do need a cisco login (free) but you don’t need a support contract. Just google “free 3des aes license cisco.

    Avatar
    rcoxon
    Member
    #375179

    Re: Can’t connect sslvpn to ASA after adding ssl licenses

    I checked the ASA and the license for 3DES-AES was disabled. I got the key and installed it and once aqain can connect to the VPN (with the certificate warnings). This is without any of the certification changes I tried (I didn’t save them to the startup config and restarted the ASA over the weekend).

    So now, if I set up the certification information again, I assume the certification warnings I get when connecting the VPN will go away?

    I have another question. My ASA came with 250 vpn peers, and 2 ssl vpn peers. I had people that could not connect and when I checked there were already 2 people connected via ssl. So both anyconnect and clientless vpn use ssl? What type of connection uses the 250 vpn peers?

    Avatar
    Anonymous
    #373382

    Re: Can’t connect sslvpn to ASA after adding ssl licenses

    The certificate warnings you where getting should go away. The users may still get a warning that the certificate could not be verified which is normal as its a self signed cert and not from a trusted CA. The 250 vpn peers is for ipsec vpn’s. Yes the anyconnect client and/or the clientless use SSL.

    Avatar
    rcoxon
    Member
    #375180

    Re: Can’t connect sslvpn to ASA after adding ssl licenses

    Gotcha. Thanks for educating me on this. I appreciate your time and help with this.

    Take care!

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.