Guest

Preview Tool

Cisco Bug: CSCvs84531 - ASA chooses wrong CA cert from LOCAL CA server for VPN authentication

Last Modified

Aug 27, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.6(2.16)

Description (partial)

BU would need to validate the bug first.

Symptom:
ASA authenticates Anyconnect clients via certificate. The CA certificate used for signing certificates of users, is also used as CA to authenticate the Anyconnect user authentication via certificate.

Close to its expiry (CA certificate), ASA issues a new CA certificate which co-exists with the older one in the same Trustpoint until the older one expires, at this stage the new CA certificate will be used.

During this period, the ASA tries to authenticate the Anyconnect users with the newly (and not yet valid) CA certificate, causing an auth failure since the certificate is not yet valid, ignoring the old and still valid CA certificate included in the same Trustpoint.

Conditions:
++ASA using LOCAL CA with auto-renewal
++Anyconnect Certificate authentication (using the CA certificate from Local CA to authenticate).
++LOCAL CA certificate close to expiration and automatically renewed by local CA.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.