Thursday, July 12, 2018

Moving Cisco AnyConnect to a different interface on ASA 5525-X

Hello /r/networking! Apologies, but this might be a little long.

We're dropping one of our ISPs soon, and it just so happens that our AnyConnect VPN runs over the interface that this ISP (L3) connects to on our ASA 5525-X HA pair. I need to move this VPN to another interface (SPECTRUM).

We have a device certificate installed that points to our vpn domain (e.g. vpn.company.com) and it is working as normal at this time. Last night, I set aside some downtime for the VPN to move it from the L3 interface to the SPECTRUM interface. As far as I know, the certificate is not IP-based, so this shouldn't cause an issue. After changing the interface that AnyConnect connects to, it immediately booted me off (I expected this), however what I didn't expect was a certificate error when re-connecting.

Function: COpenSSLCertificate::VerifyExtKeyUsage File: .\Certificates\OpenSSLCertificate.cpp Line: 2167 Invoked Function: COpenSSLCertUtils::VerifyExtKeyUsage Return Code: -31391721 (0xFE210017) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_NOT_FOUND:No Extended Key Usages were found in the certificate Function: COpenSSLCertificate::VerifyKeyUsage File: .\Certificates\OpenSSLCertificate.cpp Line: 2137 Invoked Function: COpenSSLCertUtils::VerifyKeyUsage Return Code: -31391723 (0xFE210015) Description: CERTIFICATE_ERROR_VERIFY_KEYUSAGE_NOT_FOUND:No Key Usages were found in the certificate Function: COpenSSLCertificate::VerifyExtKeyUsage File: .\Certificates\OpenSSLCertificate.cpp Line: 2167 Invoked Function: COpenSSLCertUtils::VerifyExtKeyUsage Return Code: -31391722 (0xFE210016) Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages Function: CVerifyExtKeyUsage::Verify File: .\Certificates\VerifyExtKeyUsage.cpp Line: 100 Extended key usage verification failed 

I'm not very well-versed in the ASA or the AnyConnect VPN, but it seems to me that this should not be happening with the installed certificate. When I moved the AnyConnect back to the L3 interface, it immediately started working again.

Would this be a corrupt certificate on the client's side? If so, how would I go about fixing this? Or do I just need to get a new certificate with a new URL to point to the SPECTRUM interface's public IP?

Thank you!



No comments:

Post a Comment