Link to home
Avatar of CHI-LTD
CHI-LTDFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Cisco Anyconnect SSL VPN migration - 5515x to FP 1120

Hi


We have a managed firewall with our ISP and they recently had issues getting the Cisco Anyconnect VPN to work post migration from a 5515x ASA to the later Firepower 1120 series.


The firewall typically uses a standard AD account that binds the firewall to our AD and once that is working the users AD account & PW is used.  We use LDAPs and not LDAP anymore.


I believe this is where the issue lies as we were getting a Cisco Anyconnect login prompt on the endpoints.  


They were getting errors like below:


INFO: Attempting Authentication test to IP address (10.0.0.30) (timeout: 12 seconds) SSL verify callback: Key exchange algorithm extracted from SSL Cipher

PKI[13]: CERT_Open, vpn3k_cert_api.c:197

PKI[8]: PKI session 0x02213959 open Successful with type AAA Server

PKI[13]: CERT_SetKeyExchangeAlg, vpn3k_cert_api.c:1193

PKI[13]: CERT_Authenticate, vpn3k_cert_api.c:863

PKI[8]: Authenticate session 0x02213959, non-blocking cb=0x000055640f1136d0

PKI[13]: CERT_API_req_enqueue, vpn3k_cert_api.c:2852

PKI[9]: CERT API thread wakes up!

PKI[12]: CERT_API_Q_Process, vpn3k_cert_api.c:2750

PKI[12]: CERT_API_process_req_msg, vpn3k_cert_api.c:2685

PKI[8]: process msg cmd=0, session=0x02213959

PKI[9]: Async locked for session 0x02213959

PKI[12]: pki_ossl_verify_chain_of_certs, pki_ossl_validate.c:1133

PKI[7]: Begin cert chain validation for session 0x02213959

PKI[12]: pki_ossl_find_valid_chain, pki_ossl_validate.c:553

PKI[8]: Begin sorted cert chain

PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:119

PKI[8]: ---------Certificate--------:

        Serial Number:

            6b:00:0:7e:be:04:9b:7a:d1:d3:00:00:00:00:00:1c

        Issuer: DC=local, DC=domain, CN=domain-server01-CA

        Subject: CN=server01.domain.local PKI[8]: End sorted cert chain

PKI[13]: pki_ossl_get_store, pki_ossl_certstore.c:61

PKI[12]: pki_ossl_rebuild_ca_store, pki_ossl_certstore.c:194

PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:42

PKI[13]: crypto_pki_get_ossl_env, pki_ossl.c:42

PKI[14]: pki_ossl_get_cert_summary, pki_ossl.c:119

PKI[7]: Cert to verify

PKI[7]: ---------Certificate--------:

        Serial Number:

            6c:7e:be:04:9b:7a:d1:d3:00:00:00:00:00:1c

        Issuer: DC=local, DC=domain, CN=domain-server01-CA

        Subject: CN=server01.domain.local PKI[12]: pki_verify_cb, pki_ossl_validate.c:416

PKI[6]: val status=0: cert subject: /CN=server01.domain.local. ctx->error: (20)unable to get local issuer certificate, cert_idx: 0

PKI[14]: is_crl_error, pki_ossl_validate.c:336

PKI[4]: Certificate verification error: unable to get local issuer certificate

PKI[14]: map_ossl_error, pki_ossl_validate.c:62

PKI[4]: Unable to find trusted certificate chain

PKI[12]: pki_ossl_do_callback, pki_ossl_validate.c:164

PKI[13]: CERT_Close, vpn3k_cert_api.c:291

PKI[8]: Close session 0x02213959 asynchronously

PKI[13]: CERT_API_req_enqueue, vpn3k_cert_api.c:2852

PKI[9]: Async unlocked for session 0x02213959

PKI[12]: CERT_API_Q_Process, vpn3k_cert_api.c:2750

PKI[12]: CERT_API_process_req_msg, vpn3k_cert_api.c:2685

PKI[8]: process msg cmd=1, session=0x02213959

PKI[9]: Async locked for session 0x02213959

PKI[9]: Async unlocked for session 0x02213959

PKI[13]: pki_ossl_free_valctx, pki_ossl_validate.c:251

PKI[9]: CERT API thread sleeps!

ERROR: Authentication Server not responding: AAA Server has been removed

fw01/sec/act#


They believe that we need to export a root CA from our domain controller and provided me with links:


https://campus.barracuda.com/product/websecuritygateway/doc/95259622/how-to-export-a-root-certificate-from-windows-server-2008-or-2012/


https://help.duo.com/s/article/2222?language=en_US


Are they on the right lines?  We have no records of using local certificates.


We do have (or did until i stopped the windows services) AD certificate services role installed https://www.experts-exchange.com/dashboard/#/questions/my/29254412


Thanks


ASKER CERTIFIED SOLUTION
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of CHI-LTD

ASKER

How are the certificates setup? If you have cert auth then the same CA cert will be for both of them, if they are self signed then you will ned to import the self signed cert form each of them, are both AD servers defined in the ?

</P>firewalls LDAP map
Avatar of CHI-LTD

ASKER

We use a 3rd party from godaddy that is imported into the firewall.
>> We use a 3rd party from godaddy that is imported into the firewall.

Is it a wildcard cert? I'm confused thats not normal, I'm referring to the certificate that's on your domain controllers that provide LDAPS protection, see my coments herefor clarification
Avatar of CHI-LTD

ASKER

No its a standard cert i.e. access.domain.com

I recall enabling LDAPs on the DCs (not quite the same process as your notes) and not importing or exporting any self signed certificates on the DCs.
Attached is the certificates on the 1st DC.

Certs.jpg