ASA // certificate-handling (trustpoints)

Hi!
I have a question regarding certificate-handling in the ASA (for example for using it for AnyConnect).
I'm not talking of the internal CA here, just about handling certificates coming from an external CA.
If you configure a trustpoint on the ASA - can the trustpoint itself contain i whole hierarchy of certificates? For example, one root-CA-certificate, one intermediate-CA-certificate, and one certificate for the ASA itself, where the ASA holds the private key, too?
For me it would be logical, but I can't do it. I always have to configure a separate trustpoint for each level - in this case two: One for the certificate of the root-CA, the second for the intermediate-CA. The second than also holds the certificate of the ASA itself.
Is this really the "right" way to do it? I get everything to work (validation and stuff) when using the second way, but I'm confused because of the command "crypto ca certificate chain <trustpoint>", which for me indicates that it should indeed be possible to have a complete chain of certificates, a complete hierarchy so to speak, associated to this trustpoint.
The documentation didn't help me out here.
Thanks for clarification.
Florian

I will just add another snippet of information, to make even more clear what I mean.
This is the configuration of my lab-ASA. It holds 3 (three!) trustpoints, which basically are all from the same CA (it's the free startssl.com CA).
startssl.com-root is the trustpoint holding the root-certificate. startssl.com-client is one intermediate CA of startssl.com. It issues certificates for clients (for instance, I have a WebVPN-User having such a certificate, who authenticates with this certificate successfully against the ASA). startssl.com-server is another intermediate CA, this CA issues certificates for webservers. My ASA has it's own certificate (for WebVPN) issued from this CA, holding the private key for it.
crypto ca trustpoint startssl.com-root
enrollment terminal
crl configure
crypto ca trustpoint startssl.com-client
revocation-check crl
enrollment terminal
crl configure
crypto ca trustpoint startssl.com-server
enrollment terminal
crl configure
crypto ca certificate chain startssl.com-root
certificate ca 01
[hex-output omitted]
quit
crypto ca certificate chain startssl.com-client
certificate ca 0d
[hex-output omitted]
quit
crypto ca certificate chain startssl.com-server
certificate ca 0a
[hex-output omitted]
quit
certificate 017a56
[hex-output omitted] (this is the certificate of the ASA itself)
quit
For me it would make more sense to have ONE trustpoint (startssl.com), which holds the complete chain of root, the two intermediate CAs, and my own certificate.
Regards,
Florian

Similar Messages

Certificate handling

I'm running into a couple of issues around iOS (or perhaps mobileSafari) certificate handling.
I'm reasonably sure that there's a bug report or two looming, but I'd like to discuss these issues first.
1) If you only load up a single client certificate through configuration utility as a credential, mobilesafari will send that certificate to any web site that requires a client certificate. Most "desktop" browsers prompt the user to avoid silent personal information leakage. Safari changed to the prompting behavior in Mac OS X 10.5.3: http://support.apple.com/kb/HT1679
2) If you only put a client certificate in the ActiveSync page of configuration utility, then mobileSafari does not use that certificate when a web site requires a client certificate. If you put the SAME certificate in the credentials page as well as the ActiveSync page, then mobileSafari prompts you on _every_ SSL/TLS negotiation, which of the two identical certificates to use.
Has anyone else seen this behavior? Before I open bugs and grab screenshots, etc, I was wondering if we're alone in seeing this behavior, or if it could be related to attributes in the certificates or...
Thanks
John

Hi, You can use DMS module if implemented in to your system. I suppose engine must be having unique material code in the system. You can create DIR using CV01N and can attach the certificate there using material as object link.
Anand

ASA certificate installation

I am trying to install a 3rd party certificate on the ASA for remote VPN access. I created the CSR and ordered the certificate however I was unable to install it due to v.8.2(4) not supporting SHA-2. I proceeded to upgrade the ASA to v.8.2(5) which supports SHA-2. After rebooting the ASA the pending Identity Certificate information is missing. Is there a way to install the certificate without generating another CSR and having the certificate issued again?
This topic first appeared in the Spiceworks Community

1) Crypto trustpoint for that wildcard certificate should have "fqdn none" configured.
2) Then you would need to import both certificate and the key-pair to the ASA if you didn't generate the CSR from this ASA. The format should be PKCS12 (you would need to use OpenSSL to combine the certificate and key-pair in PKCS12 format prior to importing it to ASA):
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2187289
Hope that helps.

How to configure AnyConnect/ASA/Certificate/MS CA together

Hello
We are looking to apply mobile device management utilizing some third-party cloud solution. Mostly iPad users will connect to our internal network using AnyConnect thru ASA. Third party MDM will be used to control and provision ipads and i need to provide solution for AnyConnect VPN.
Looking for some guidance, docs, examples, white paper that will provide info how to configure the following:
users will connect to ASA VPN using AnyConnect; certificate issued by internal Microsoft CA and unique to each user will be used for authenticate the user. ACS will communicate with Microsoft AD to check if the user is valid AD user. Once authentication is done, user will have access to internal network.
I am struggling to get all those peace of puzzle togehter so i can work on solution.
I would appreciate if someone will give me some ideas how this whole scenario will work.
Thank you.

Anyone from experts out there? I am sure someone heave doen this before.

ASA Certificate Enrollment Invitation

Hi,
We are using our ASA as a Local CA Server to generate certificates for mobile device users and send them an email with an OTP to download and install the certificate. And we would like to know if there is a way to edit the email message body. Can you please help us?
Thanks.
Best regards,
Carlos

Hello Taro,
Agree with Atri,
I have not deal with this cases but it makes sense that you need to reset the CA server as it's basically using a different configuration set for the FQDN.
As soon as you enable the ASA CA capability the URL will be created based on the FQDN, so as it's up and running it will not change... That's how I see it,
Give it a try and let us know,
I think you can only remove the CA config with
clear config crypto ca server’
So be careful,
Regards
Julio

Cisco Unified Mobility Adv 7 - ASA certificates issue

Dear All,
I have Mobility Advantage 7 that i am trying to use with CUCM 7.1 and ASA.
Now i have come to know that you must have a certificate from Verisign or Geotrust installed in the ASA in order for the mobility to work.
Is there any other way we can make the mobility work without OR self-signed certificates???
its urgent and any help in this reference is higly appreciated.
Nouman

If I recall correctly, we did a pilot of CUMA and we did not have to have a
certificate from Verisign. Since it was a pilot, the customer didn't want to
pay for the cert if it wasn't going to be needed long term. So, we used a
self-signed cert on the ASA. The "problem" or side-effect was that the
mobile users were constantly prompted to state they trusted the cert. In a
way, our hands were tied with respect to trying to make that cosmetic issue
disappear. It was an all BB shop and the admin had tight controls on the
BES.
Regardless, my recollection is that we were able to get away with it but
that if the customer decided to go full bore that we would need to do the
Verisign cert.
HTH.
Regards,
Bill
Please remember to rate helpful posts.

Mail and SMTP server settings of ASA Certificate Authority for cisco anyconnect VPN

Dear All,
i have the folloing case :
i am using ASA as Certificate authority for cisco anyconnect VPN users,the authentication happens based on the local database of the ASA,
i want to issue a new certificate every 72 hours for the users ,and i want to send the one time password via email to each user.
so what the setting of the mail and smtp server should be ,
was i understand i should put my smtp server ip address then i have to create the local users again under(Remte VPN VPN--Certificate management--Local certificate authority --Manage user Database) along with their email addresses to send the one time passsword to them via their emails.
i sent the email manually ,hwo can automate sending the OTP to our VPN users automatically vi their emails?
Best regards,

Thanks Jennifer.
I did manage to configure LDAP attribute map to the specific group policy.
Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.
Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.
Example: let say my username is LLH.
Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.
Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11
Only me know the preshared key and only me can login with my Connection Profile.
Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.
Example:
AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password
Client Address Pool for me is : LLH-pool, IP is 172.16.1.11
Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.
I hope above description can paint the scenario clearer.
Thanks in advance for all the help and comment given.

Hostname and CN in ASA Certificate

Hi Everyone,
I issued self aassigned certificate to ASA.
Now on ASDM under issued by it shows
hostname= ciscoasa, CN=ciscoasa
where ciscoasa is hostname of ASA.
Need to know what does CN mean and whats its used for ?
regards
Mahesh

Hello Mahesh,
If you configure a domain-name it will not.
Example
Hostname Julio
Domain name: Cisco.com
CN: julio.Cisco.com
In your case you do not have a Domain name so nothing will appear
Hope that I was clear enough

TLS Certificate Handling in Cluster Mode

I have two Ironport C370 in a cluster. When I setup the inbound/outbound mail settings this is done in cluster mode and only lets me associate one cerfiticate to the configuration. When a session hits the machine that doesn't match the certificate name they get a error unable to validate host name. Is it possible to set this outside of cluster mode then re-enable? We are currently on AsyncOS version 8.0.0 build 671.
Thanks,
Mike

Hi Mike,
You might find this KB entry #1765 answers your question.
https://ironport.custhelp.com/app/answers/detail/a_id/1765
Basically you have to go into machine mode for each appliance but ensure you use the same certificate profile name.

ASA certificate import failure

I'm stumped by an issue I'm having trying to upload the SSL certificate we just renewed.
Importing the old [expired] .pfx in ASDM works flawlessly. Trying to do the same with the new [renewed] certificate returns 'PKCS12 Import Operation Failed'
I'm pretty much out of ideas, any insight would be hugely appreciated.
Any more information you need, just ask. Thanks

Your issuing CA may have updated the root certificate (or intermediate cert) they use to sign their issued certs. I'd check for that an re-import them if that's the case. That will ensure a chain to the root.

EAP-PEAP Certificate Handling

Hi All, for evaluytion purposes i played with EAP-PEAP. Is there a way to check if an SSL Tunnel is established between the Supplicant and the Authentication Server? What does PEAP do if the Radius Server Certificate is not locally installed? I wonder, but it seems to work without it... Regards, Michael

There is an option in the Microsoft Supplicant to ignore the RADIUS Servers certificate - Wireless Network Properties, Authentication, PEAP Properties, Validate Server Certificate checkbox. I am not sure what the default is but this is what you are looking for.
Andy

ASA site-site VPN error using Microsoft Digital Certificates.

Hi,
I configured site-site between ASA's with authentication type as RSA-SIG for Phase1. I got manual certificates from Microsoft CA Server but not able to form the tunnel. Need someones help badly on this issue.
ASA1 Config:
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 1
lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
tunnel-group 200.160.126.30 type ipsec-l2l
tunnel-group 200.160.126.30 ipsec-attributes
peer-id-validate cert
trust-point CA1
crypto map outside_map 1 match address vpn
crypto map outside_map 1 set peer 200.160.126.30
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set trustpoint CA1
crypto map outside_map interface outside
access-list vpn extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto ca trustpoint CA1
enrollment terminal
fqdn asa1.cisco.com
keypair my.ca.key
crl configure
ASA-2 Config:
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 1
lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address vpn
crypto map outside_map 1 set peer 59.160.128.50
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set trustpoint CA1
crypto map outside_map interface outside
tunnel-group 59.160.128.50 type ipsec-l2l
tunnel-group 59.160.128.50 ipsec-attributes
peer-id-validate cert
trust-point CA1
access-list vpn extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
crypto ca trustpoint CA1
enrollment terminal
fqdn asa2.cisco.com
keypair my.ca.key
crl configure
Debug Output:
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-5-713041: IP = 59.160.128.50, IKE Initiator: New Phase 1, Intf inside, IKE Peer 59.160.128.50 local Proxy Address 172.16.1.0, remote Proxy Address 192.168.1.0, Crypto map (outside_map)
%ASA-7-715046: IP = 59.160.128.50, constructing ISAKMP SA payload
%ASA-7-715046: IP = 59.160.128.50, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-609001: Built local-host NP Identity Ifc:200.160.126.30
%ASA-7-609001: Built local-host outside:59.160.128.50
%ASA-6-302015: Built outbound UDP connection 122 for outside:59.160.128.50/500 (59.160.128.50/500) to NP Identity Ifc:200.160.126.30/500 (200.160.126.30/500)
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-715047: IP = 59.160.128.50, processing SA payload
%ASA-7-713906: IP = 59.160.128.50, Oakley proposal is acceptable
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received Fragmentation VID
%ASA-7-715064: IP = 59.160.128.50, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: True
%ASA-7-715046: IP = 59.160.128.50, constructing ke payload
%ASA-7-715046: IP = 59.160.128.50, constructing nonce payload
%ASA-7-715046: IP = 59.160.128.50, constructing certreq payload
%ASA-7-715046: IP = 59.160.128.50, constructing Cisco Unity VID payload
%ASA-7-715046: IP = 59.160.128.50, constructing xauth V6 VID payload
%ASA-7-715048: IP = 59.160.128.50, Send IOS VID
%ASA-7-715038: IP = 59.160.128.50, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715046: IP = 59.160.128.50, constructing VID payload
%ASA-7-715048: IP = 59.160.128.50, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 322
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 322
%ASA-7-715047: IP = 59.160.128.50, processing ke payload
%ASA-7-715047: IP = 59.160.128.50, processing ISA_KE payload
%ASA-7-715047: IP = 59.160.128.50, processing nonce payload
%ASA-7-715047: IP = 59.160.128.50, processing cert request payload
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received Cisco Unity client VID
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received xauth V6 VID
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715038: IP = 59.160.128.50, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713906: IP = 59.160.128.50, Generating keys for Initiator...
%ASA-7-715046: IP = 59.160.128.50, constructing ID payload
%ASA-7-715046: IP = 59.160.128.50, constructing cert payload
%ASA-7-715001: IP = 59.160.128.50, constructing RSA signature
%ASA-7-715076: IP = 59.160.128.50, Computing hash for ISAKMP
%ASA-7-713906: Constructed Signature Len: 128
%ASA-7-713906: Constructed Signature:
0000: 4FB66432 FCA9DA52 5420E6C1 DF8293AC     O.d2...RT ......
0010: DE3533F1 7036E5C8 40B11A9D 5C68C884     .53.p6..@...\h..
0020: D4BCA531 BAE87710 09D1AD06 7994CD1B     ...1..w.....y...
0030: DCEDB9CE E971F21B 0104C06A 1901FACE     .....q.....j....
0040: D1E8AED1 7684DFDA 40E98BC2 E195F3C8     ....v...@.......
0050: 3625E936 E35F47A3 F44BC326 62E99135     6%.6._G..K.&b..5
0060: 88EB90FF 10938CC3 0FFAA576 A9DBD9AD     ...........v....
0070: 65592C71 5A13C4C5 8EBA60F6%ASA-7-715034: IP = 59.160.128.50, Constructing IOS keep alive payload: proposal=32767/32767 sec.
%ASA-7-715046: IP = 59.160.128.50, constructing dpd vid payload
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 1668
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-715065: IP = 59.160.128.50, IKE MM Initiator FSM error history (struct &0xd8a30d08) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_TIMEOUT-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_TIMEOUT
%ASA-7-713906: IP = 59.160.128.50, IKE SA MM:f2cbbafa terminating: flags 0x0100c022, refcnt 0, tuncnt 0
%ASA-7-713906: IP = 59.160.128.50, sending delete/delete with reason message
%ASA-7-715046: IP = 59.160.128.50, constructing blank hash payload
%ASA-7-715046: IP = 59.160.128.50, constructing IKE delete payload
%ASA-7-715046: IP = 59.160.128.50, constructing qm hash payload
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=372e03ac) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
%ASA-3-713902: IP = 59.160.128.50, Removing peer from peer table failed, no match!
%ASA-4-713903: IP = 59.160.128.50, Error: Unable to remove PeerTblEntry
Kindly suggest me for further steps.
Regards,
Mon

HI Mate ,
your ASA is sending the ASA certificate :
but after that we are recieving an isakmp notify message which tears down the connection ?
somehow the remote peer didn't like the ASA certificate
do you have access to that peer ? is it a CISCO ASA?
is the time synchronized with that side ?
it the CA certificate installed on that peer?
HTH
Mohammad.

Renewed Cert on ASA, Upgraded from AnyConnect 2.5 to 3.1

We had been running AnyConnect 2.5 against our ASA and the Cert on our ASA Expired. the 2.5 Client (and all of the iPad Clients) had a way of saying, its cool, connect anyway if the Cert is not valid.
I finially got around to renewing the cert on the ASA. We have an Internal CA that I renewed it against. So if the CA's Cert was not installed in your trusted Cert Store you would get an error. Many Clients can Connect just fine with the new 3.1 client, Auto-upgrade, etc (besides it lopping off the /vpn from the connection URL)
We have a few of the clients that cannot connect. they get an error like:
The certificate on the secured gateway is invalid. A VPN connection will not be established
They have the CA's Root Cert installed in their trusted Cert Store. The Cert on the ASA has the proper CN, and Expiration date, so that should not be the issue.
When I look in the Syslog I see:
%ASA-7-725008: SSL client outside-interface:<Client Public IP>/50088 proposes the following 8 cipher(s).
%ASA-6-725001: Starting SSL handshake with client outside-interface:<Client Public IP>/50088 for TLSv1 session.
%ASA-7-710005: TCP request discarded from <Client Public IP>/50089 to outside-interface:<ASA Public IP>/443
%ASA-6-106015: Deny TCP (no connection) from <Client Public IP>/50089 to <ASA Public IP>/443 flags FIN ACK on interface outside-interface
%ASA-7-710005: TCP request discarded from <Client Public IP>/50089 to outside-interface:<ASA Public IP>/443
%ASA-6-106015: Deny TCP (no connection) from <Client Public IP>/50089 to <ASA Public IP>/443 flags PSH ACK on interface outside-interface
%ASA-6-725007: SSL session with client outside-interface:<Client Public IP>/50089 terminated.
%ASA-4-113019: Group = SSL-VPN, Username = <userID>, IP = <Client Public IP>, Session disconnected. Session Type: SSL, Duration: 0h:00m:31s, Bytes xmt: 9787, Bytes rcv: 3991, Reason: User Requested
%ASA-6-716002: Group #%cLt#%SSLVPNGrpPolicy> User #%cLt#%<UserID>> IP #%cLt#%<Client Public IP>> WebVPN session terminated: User Requested.
%ASA-6-725002: Device completed SSL handshake with client outside-interface:<Client Public IP>/50089
The other Interesting thing is in ADSM when I monitor the VPN Connections, All of the Trouble users show up in the "Clientless SSL VPN/Clientless" Section, where as the users that work fine are all in the "SSL VPN Client/WithClient" section. Though all of the ones in the
"SSL VPN Client/WithClient" section have 'Clientless SSL-Tunnel DTLS-Tunnel' as the Protocol.
We have completely removed AnyConnect and Manually installed the Client.
We have connected to the ASA's SSLVPN URL and had it install the Client.
All the same result. It Connects, Asks for a Username/Password, Displayes the Warning Banner to accept, checks for pgrads, then on the Establishing VPN comes up with the Server's Certificate is invalid.
Is this a NAT/PAT issue on the remote end?
Any Suggestions for these guys?
Thank you,
Scott<-

AnyConnect 3.1 is a significant upgrade, even over 3.0.
Over 3.0 it adds an enhanced GUI (common between Windows and Mac), NAM enhancement, crypto suite B enhancements, HostScan/Posture performance enhancements, IPv6 support, better untrusted certificate handling, plug-in component tiles, etc.
3.0+ offers IPSec VPN client as opposed to SSL VPN.

VPN error when using Microsoft digital certificates.

Hi,
I tried implementing site-site VPN between Cisco Router and Cisco ASA using Microsoft digital certificates. After performing the following configurations, I was not able to ping to other site LAN. I enabled debug and got following out put. I sucessfully enrolled digital certificates.
Cisco ASA config:
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list 100
static (inside,outside) 1.1.1.10 10.1.1.10 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mymap 1 match address 100
crypto map mymap 1 set peer 2.2.2.2
crypto map mymap 1 set transform-set myset
crypto map mymap interface outside
crypto ca trustpoint winca
enrollment url http://10.1.1.10:80/certsrv/mscep/mscep.dll
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
trust-point winca
On router:
crypto ca trustpoint winca
enrollment mode ra
enrollment url http://1.1.1.10:80/certsrv/mscep/mscep.dll
crypto isakmp policy 19
encr 3des
group 2
authentication rsa-sig
crypto isakmp key cisco address 1.1.1.1
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set myset
match address 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
crypto ipsec transform-set myset esp-3des esp-sha-hmac
Debug output on ASA
CorpASA# Nov 15 02:12:49 [IKEv1]: Group = 2.2.2.2, IP = 2.2.2.2, Removing peer from peer table failed, no match!
Nov 15 02:12:49 [IKEv1]: Group = 2.2.2.2, IP = 2.2.2.2, Error: Unable to remove PeerTblEntry
CorpASA#
CorpASA#
CorpASA# Nov 15 02:13:06 [IKEv1]: Removing peer from peer table failed, no match!
Nov 15 02:13:06 [IKEv1]: Error: Unable to remove PeerTblEntry
Nov 15 02:13:11 [IKEv1]: Removing peer from peer table failed, no match!
Nov 15 02:13:11 [IKEv1]: Error: Unable to remove PeerTblEntry
Debug out put on router:
R2#ping 10.1.1.10 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
Nov 15 02:21:01.067: %SYS-5-CONFIG_I: Configured from console by console
Nov 15 02:21:02.651: ISAKMP: received ke message (1/1)
Nov 15 02:21:02.655: ISAKMP (0:0): SA request profile is (NULL)
Nov 15 02:21:02.655: ISAKMP: local port 500, remote port 500
Nov 15 02:21:02.655: ISAKMP: set new node 0 to QM_IDLE
Nov 15 02:21:02.655: ISAKMP: insert sa successfully sa = 64597C20
Nov 15 02:21:02.655: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
Nov 15 02:21:02.659: ISAKMP: Looking for a matching key for 1.1.1.1 in default : success
Nov 15 02:21:02.659: ISAKMP (0:1): found peer pre-shared key matching 1.1.1.1
Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-07 ID
Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-03 ID
Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-02 ID
Nov 15 02:21:02.659: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Nov 15 02:21:02.663: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1
Nov 15 02:21:02.663: ISAKMP (0:1): beginning Main Mode exchange
Nov 15 02:21:02.663: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
Nov 15 02:21:02.703: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
Nov 15 02:21:02.707: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 15 02:21:02.707: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2
Nov 15 02:21:02.707: ISAKMP (0:1): processing SA payload. message ID = 0
Nov 15 02:21:02.707: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.707: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch
Nov 15 02:21:02.711: ISAKMP : Scanning profiles for xauth ...
Nov 15 02:21:02.711: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 19 policy
Nov 15 02:21:02.711: ISAKMP:      encryption 3DES-CBC
Nov 15 02:21:02.711: ISAKMP:      hash SHA
Nov 15 02:21:02.711: ISAKMP:      default group 2
Nov 15 02:21:02.711: ISAKMP.:      auth RSA sig
Nov 15 02:21:02.711: ISAKMP:      life type in seconds
Nov 15 02:21:02.711: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
Nov 15 02:21:02.715: ISAKMP (0:1): atts are acceptable. Next payload is 0
Nov 15 02:21:02.771: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.771: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch
Nov 15 02:21:02.775: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 15 02:21:02.775: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2
Nov 15 02:21:02.783: ISAKMP (0:1): constructing CERT_REQ for issuer cn=md902j-n5dros99,dc=md902j,dc=ca,dc=com
Nov 15 02:21:02.783: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
Nov 15 02:21:02.783: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 15 02:21:02.787: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM3
Nov 15 02:21:02.903: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
Nov 15 02:21:02.907: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 15 02:21:02.907: ISAKMP (0:1): Old State = IKE_I_MM3 New State = IKE_I_MM4
Nov 15 02:21:02.907: ISAKMP (0:1): processing KE payload. message ID = 0
Nov 15 02:21:02.979: ISAKMP (0:1): processing NONCE payload. message ID = 0
Nov 15 02:21:02.987: ISAKMP (0:1): SKEYID state generated
Nov 15 02:21:02.991: ISAKMP (0:1): processing CERT_REQ payload. message ID = 0
Nov 15 02:21:02.991: ISAKMP (0:1): peer wants a CT_X509_SIGNATURE cert
Nov 15 02:21:02.995: ISAKMP (0:1): peer want cert issued by cn=md902j-n5dros99,dc=md902j,dc=ca,dc=com
Nov 15 02:21:02.995: ISAKMP (0:1): Choosing trustpoint winca as issuer
Nov 15 02:21:02.995: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.995: ISAKMP (0:1): vendor ID is Unity
Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.999: ISAKMP (0:1): vendor ID seems Unity/DPD but major 11 mi.smatch
Nov 15 02:21:02.999: ISAKMP (0:1): vendor ID is XAUTH
Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.999: ISAKMP (0:1): speaking to another IOS box!
Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:03.003: ISAKMP (0:1:): vendor ID seems Unity/DPD but hash mismatch
Nov 15 02:21:03.003: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 15 02:21:03.003: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4
Nov 15 02:21:03.007: ISAKMP (0:1): Send initial contact
Nov 15 02:21:03.067: ISAKMP (1): My ID configured as IPv4 Addr,but Addr not in Cert!
Nov 15 02:21:03.067: ISAKMP (1): Using FQDN as My ID
Nov 15 02:21:03.067: ISAKMP (0:1): SA is doing RSA signature authentication using id type ID_FQDN
Nov 15 02:21:03.067: ISAKMP (0:1): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : R2.cisco.com
        protocol     : 17
        port         : 500
        length       : 20
Nov 15 02:21:03.067: ISAKMP (1): Total payload length: 20
Nov 15 02:21:03.095: ISAKMP (0:1): constructing CERT payload for hostname=R2.cisco.com
Nov 15 02:21:03.095: ISKAMP: growing send buffer from 1024 to 3072
Nov 15 02:21:03.095: ISAKMP (0:1): using the winca trustpoint's keypair to sign
Nov 15 02:21:03.215: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Nov 15 02:21:03.219: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 15 02:21:03.219: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5
Nov 15 02:21:03.375: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.375: ISAKMP: set new node -1205710646 to QM_IDLE
Nov 15 02:21:03.379: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.379: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.383: ISAKMP (0:1): received packe.t from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.383: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.383: ISAKMP: Info Notify message requeue retry counter exceeded sa request from 1.1.1.1 to 2.2.2.2...
Success rate is 0 percent (0/5)
R2#
Nov 15 02:21:13.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 15 02:21:13.219: ISAKMP (0:1): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Nov 15 02:21:13.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Nov 15 02:21:13.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
R2#
Nov 15 02:21:23.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 15 02:21:23.219: ISAKMP (0:1): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Nov 15 02:21:23.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Nov 15 02:21:23.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
R2#
Nov 15 02:21:32.651: ISAKMP: received ke message (1/1)
Nov 15 02:21:32.651: ISAKMP: set new node 0 to QM_IDLE
Nov 15 02:21:32.651: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 2.2.2.2, remote 1.1.1.1)
Nov 15 02:21:33.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 15 02:21:33.219: ISAKMP (0:1): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Nov 15 02:21:33.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Nov 15 02:21:33.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
R2#
Nov 15 02:21:43.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 15 02:21:43.219: ISAKMP (0:1): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Nov 15 02:21:43.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Nov 15 02:21:43.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
PLease assist me in sorting this issue, i need to implement on my live network.
Thanks a lot in advance.
Regards,
Mohan.D

HI Mate ,
your ASA is sending the ASA certificate :
but after that we are recieving an isakmp notify message which tears down the connection ?
somehow the remote peer didn't like the ASA certificate
do you have access to that peer ? is it a CISCO ASA?
is the time synchronized with that side ?
it the CA certificate installed on that peer?
HTH
Mohammad.

ASA7.0(2) CA Trustpoint Configuration with Root and Subordinate CA

I'm trying to replicate a configuration that was done on my Con3015 to my ASA5520. I was given 2 CA certificate's: A Root and Subordinate and was told to load both or it will not work.
The ASA's use trustpoint configuration. I couldn't load both under one trustpoint so I created two trustpoints.
After loading both CA certificates using file-based enrollment, which trustpoint do I create a PKCS#10 enrollment file against?
Also, I don't understand how both trustpoints are associated. At the end I'd have 2 trustpoints (1 RootCA and 1 SubCA) but only 1 identity will be associate with 1 of the trustpoints.
Is it necessary to add specific commands in the trustpoint configuration?
Is it even necessary to have both CA certificates (Root and Sub CA) installed??

Hello Aignacio,
I have the same problem now. Did you find an solution. If yes could you please send me the prosedure for migrate from 3015 to asa in terms of ca config
Thanks
Dogan

ASA // certificate-handling (trustpoints)

Similar Messages

Maybe you are looking for