You can confirm that the VPN certificate is operational by pushing a profile to the device. Then, test whether or not the device can connect and sync to the configured ASA firewall.

If the device is not connecting, it may show a message that the certificate cannot be authenticated or the account cannot connect to the ASA firewall. In this case, there is a problem in the configuration.

Listed here are some helpful troubleshooting checks.

  • Make sure that a certificate is issued by the external CA to the device by checking the following information:
    • Go to the external CA’s server, start the certification authority application, and browse to the “issued certificates” section.
    • Find the last certificate that was issued. Ensure it has a subject that matches the one created in the certificate template section earlier in this document.

      If there is no certificate, then there is an issue with the external CA, client access server (for example, ADCS), or with the AirWatch connection to the client access server.

    • Check that the permissions of the client access server (for example, ADCS) Admin Account are applied correctly to the external CA and the template on the external CA.
    • Check that the account information is entered correctly in the AirWatch configuration.
  • If the certificate is being issued, make sure that it is in the Profile payload and on the device.
    • Navigate to Devices > Profiles > List View. In the Device Profiles screen for the user’s device, select Actions and then, select </> View XML to view the profile XML. There is certificate information that appears as a large section of text in the payload.
    • On the device, go to the profiles list, select details, and see if the certificate is present.
  • If the certificate is on the device and contains the correct information, then the problem is most likely with the security settings on the ASA firewall.
    • Confirm that the address of the VPN endpoint is correct in the AirWatch profile. Also confirm that all the security settings have been adjusted for allowing certificate authentication on the firewall.
  • A good test to run is to configure a single device to connect to AnyConnect VPN using certificate authentication. Ensure this test works outside of AirWatch, as until this works properly, AirWatch is not able to configure a device to connect to AnyConnect VPN with a certificate.