Ssl-vpn configuration

deacongibsondeacongibson Member Posts: 8 ■□□□□□□□□□
Can some help please:
The subject is SSL VPN (Using GNS3)
I have setup an ssl vpn and his working using AAA authentication method in my GNS3 lab. But have not be able to get it to work using certificate authentication method. In fact I am now confuse, I need someone who can give me a working ASA configuration excluding the Microsoft server configuration (that is working very fine. As I can issue certificate): See here under for my setup:

1. ASA 5520 with IOS 8.4
- inside interface:
- outside interface:
- dmz interface:

2. Microsoft Windows server 2008 as domain controller and active directory
3. Microsoft Windows server 2003 as member server hosting the certificate services
- Domain server IP:
- certificate server IP:
4. Windows XP sp3 as client machines
5. SSL VPN configuration
a. NAT configuration
b. Address pool –
c. Split tunnel option: Tunnel network list below
d. Access-list implementation

Note: I will appreciate any already existing working SSL-VPN configuration.
Deacon Gibson


  • SecurityThroughObscuritySecurityThroughObscurity Member Posts: 212 ■■■□□□□□□□
    have you issued identity certificate for ASA?
    have you imported root certificate to ASA?
  • deacongibsondeacongibson Member Posts: 8 ■□□□□□□□□□
    See hereunder for My lab Scenerio:

    1. I have setup Anyconnect SSL-VPN in my ASA with IOS 8.4
    2. I have enrolled the ASA with SCEP to get it ROOT and IDENTITY certificate from windows server 2003 certificate server
    3. I have also deployed a ROOT and IDENTITY certificate from the windows server 2003 certificate server to my windows XP SP3 computer
    4. I can established a SSL-VPN connection from the anyconnect client software installed in the XP machine to the ASA using Local authentication method.
    5. I have not be be able to establish a connection using a certificate authentication method. Each time i try i get the message "no valid certificates available for authentication"
  • SecurityThroughObscuritySecurityThroughObscurity Member Posts: 212 ■■■□□□□□□□
    Try to gather the DART logs.
  • deacongibsondeacongibson Member Posts: 8 ■□□□□□□□□□
    I have gather the DART logs. what should I do next?
  • Maced129Maced129 Member Posts: 78 ■■□□□□□□□□
    is time synced? between all devices in your topology?
Sign In or Register to comment.