ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
DieselJeeper
Ultimate Member
Posts:
511
Joined:
Wed Aug 03, 2011 12:24 pm
Certs:
MCSE, MCP+I, SEC+ (working on CCENT/CCNA)

Resolved: Once-functional ASA VPN broken, Error 32

Fri Dec 30, 2011 11:10 am

All-

I have an ASA 5520 (pair of them, in failover mode) that I configured a VPN on a while back. This is an IPSEC VPN, clients use the VPN client and CAC authenticate back to our AD over LDAP.

This all worked great... until we tried it the day after our DC was replaced with a unit which is minded by folks above us.

I use the same laptop that we used before, insert my CAC, hop onto a cellular network just like we always did- and then launch the VPN client. I immediately get "Error 32: unable to verify certificate".

Troubleshooting things, I verify the client laptop is able to connect to the Internet. I go into my ADSM, go to monitoring/logging, filter by the client's IP address (the one it's pulling from the external ISP), and try to connect. Nothing shows up on the log. So this is telling me the issue is occuriing before it ever reaches the ASA.

Out of curiousity, I disconnect the client machine from the external network and try to connect to the VPN. I get the same error... I believe this proves the issue is in the client, not the ASA...

Client is WinVista, I get to poking about in the Network properties, I've noticed that the Cisco VPN Adapter is disabled. Yep, that'd do it... let me try again... stand up my connection to external ISP again, and....

No. Same darn error.

Try another laptop- same error.

The new DC is at the same address. However, as we're not showing ANY traffic through the ASA at all (which it has to pass through before it gets to the AD), I don't think that's our issue.

Any ideas?
Last edited by DieselJeeper on Fri Dec 30, 2011 12:15 pm, edited 1 time in total.

User avatar
ristau5741
Post Whore
Posts:
10618
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: Once-functional ASA VPN broken after AD DC replacement

Fri Dec 30, 2011 11:18 am

Is there a certificate you may need to install on the ASA ?
maybe for the DC?
Tips of the day:
- The human mind is the ultimate creation invention.
- I have so many customers, my customers have customers.
- Sausage time
- POP, stack, and store

DieselJeeper
Ultimate Member
Posts:
511
Joined:
Wed Aug 03, 2011 12:24 pm
Certs:
MCSE, MCP+I, SEC+ (working on CCENT/CCNA)

Re: Once-functional ASA VPN broken after AD DC replacement

Fri Dec 30, 2011 11:24 am

All of that was done when this VPN was stood up. I've even had users using this darn thing, as recently as last month.

I really don't think the DC change has anything to do with it, either. It's just odd that it occurred at the same time.

Also, not showing traffic from that client's IP in the log.
Now, bear in mind I am sure no expert in Cisco- as you've seen (and is reflected in my profile), I haven't any Cisco certs just yet.

willroute4food
Member
Posts:
200
Joined:
Fri Nov 13, 2009 4:42 pm
Certs:
CCIE R&S

Re: Once-functional ASA VPN broken after AD DC replacement

Fri Dec 30, 2011 11:38 am

If you go into the ASDM and under the AAA server, do a "Test." Just start there, and work back to the client. Make sure that you can successfully pass an authentication test back to your LDAP server.

http://www.cisco.com/en/US/docs/securit ... #wp1321970

DieselJeeper
Ultimate Member
Posts:
511
Joined:
Wed Aug 03, 2011 12:24 pm
Certs:
MCSE, MCP+I, SEC+ (working on CCENT/CCNA)

Re: Once-functional ASA VPN broken after AD DC replacement

Fri Dec 30, 2011 11:41 am

@ Willroute4food: Bless you, for telling me what to test and then giving me a link handholding me through it!!

As I stated, I'm rather new to this level of interaction with CISCO.

This forum is GREAT! I expected something along the lines of what I found on Linux forums in the mid-90s... "RTFM< FOAD< N00B!!"

How does one go about contributing to keeping the lights on 'round here, anyway? :thankyou: :cheers:

DieselJeeper
Ultimate Member
Posts:
511
Joined:
Wed Aug 03, 2011 12:24 pm
Certs:
MCSE, MCP+I, SEC+ (working on CCENT/CCNA)

Re: Once-functional ASA VPN broken after AD DC replacement

Fri Dec 30, 2011 11:49 am

This may turn out to be a User Account Control issue... I rebooted the machine and something's disabled the VPN client in Network Management, again. Likely it's UAC...

... ongoing...

willroute4food
Member
Posts:
200
Joined:
Fri Nov 13, 2009 4:42 pm
Certs:
CCIE R&S

Re: Once-functional ASA VPN broken after AD DC replacement

Fri Dec 30, 2011 11:54 am

DieselJeeper wrote:This may turn out to be a User Account Control issue... I rebooted the machine and something's disabled the VPN client in Network Management, again. Likely it's UAC...

... ongoing...


If its the legacy IPSEC client it is always going to show disabled until you launch the vpn and begin connecting.

User avatar
swagger
Post Whore
Posts:
1395
Joined:
Mon Nov 23, 2009 7:55 pm
Certs:
CCNP, CCNA Sec

Re: Once-functional ASA VPN broken after AD DC replacement

Fri Dec 30, 2011 12:02 pm

DieselJeeper,

From experience, the VPN adapter on clients is usually disabled until you actually connect with the client. That's just in my few months worth of experience working with remote-access VPN.

Are you sure your logging levels are low enough to catch the VPN traffic coming in? Also, did the structure of the new AD change? I know we had problems when our Systems staff changed the structure of the OUs and renamed the service account.

Regards,
Keith

DieselJeeper
Ultimate Member
Posts:
511
Joined:
Wed Aug 03, 2011 12:24 pm
Certs:
MCSE, MCP+I, SEC+ (working on CCENT/CCNA)

Re: Once-functional ASA VPN broken after AD DC replacement

Fri Dec 30, 2011 12:14 pm

All-

got it up!

Observations:
-check the Certificate- I noted the issuing CA was not listed in the laptop's Intermediate CAs. I applied a "rollup package" (script which imports all required CA infrastructure to our clients' store), reestablished outside comms to the external ISP, and was able to estab the VPN.

-also, as mentioned by the two gents previously, the "disabled" Cisco VPN adapter is a non-issue. It will read as disabled till you call on it to estab a connection. So that was a waste of time to worry about.

Thanks to everyone for your help!

User avatar
swagger
Post Whore
Posts:
1395
Joined:
Mon Nov 23, 2009 7:55 pm
Certs:
CCNP, CCNA Sec

Re: Resolved: Once-functional ASA VPN broken, Error 32

Fri Dec 30, 2011 12:20 pm

Good to hear...

DieselJeeper
Ultimate Member
Posts:
511
Joined:
Wed Aug 03, 2011 12:24 pm
Certs:
MCSE, MCP+I, SEC+ (working on CCENT/CCNA)

Re: Resolved: Once-functional ASA VPN broken, Error 32

Fri Dec 30, 2011 12:23 pm

Thannks again!!

DieselJeeper
Ultimate Member
Posts:
511
Joined:
Wed Aug 03, 2011 12:24 pm
Certs:
MCSE, MCP+I, SEC+ (working on CCENT/CCNA)

Re: Resolved: Once-functional ASA VPN broken, Error 32

Fri Dec 30, 2011 12:28 pm

Swagger- you referred to making sure my logging levels were low enough- how would I do that?

User avatar
swagger
Post Whore
Posts:
1395
Joined:
Mon Nov 23, 2009 7:55 pm
Certs:
CCNP, CCNA Sec

Re: Resolved: Once-functional ASA VPN broken, Error 32

Fri Dec 30, 2011 12:45 pm

Well if you were only logging Emergency or Alerts (logging level 0 and 1) you might not see inbound authentication attempts if you were running debugs... You could just check to see what syslog levels you have configured, either through CLI or ASDM

'

Return to Cisco Security

Who is online

Users browsing this forum: SamRow and 53 guests