You can confirm that the VPN certificate is operational by pushing a profile to the device and testing whether or not the device is able to connect and sync to the configured ASA firewall.

If the device is not connecting and shows a message that the certificate cannot be authenticated or the account cannot connect to the ASA firewall, then there is a problem in the configuration.

Troubleshooting Checks

  • Make sure that a certificate is being issued by the external CA to the device by checking the following information.
    • Go to the external CA’s server, launch the certification authority application, and browse to the “issued certificates” section.
    • Find the last certificate that was issued and it should have a subject that matches the one created in the certificate template section earlier in this documentation.

      If there is no certificate then there is an issue with the external CA, client access server (e.g., ADCS), or with the Workspace ONE UEM connection to the client access server.

    • Check that the permissions of the client access server (e.g., ADCS) Admin Account are applied correctly to the external CA and the template on the external CA.
    • Check that the account information is entered correctly in the Workspace ONE UEM configuration.
  • If the certificate is being issued, make sure that it is in the Profile payload and on the device.
    • Navigate to Devices > Profiles > List View. In the Device Profiles screen for the user’s device, select Actions and then, select </> View XML to view the profile XML. There is certificate information that appears as a large section of text in the payload.
    • On the device, go to the profiles list, select details and see if the certificate is present.
  • If the certificate is on the device and contains the correct information, then the problem is most likely with the security settings on the ASA firewall.
    • Confirm that the address of the VPN endpoint is correct in the Workspace ONE UEM profile and that all the security settings have been adjusted for allowing certificate authentication on the firewall.
  • A very good test to run is to manually configure a single device to connect to IPSec VPN using certificate authentication. This should work outside of Workspace ONE UEM and until this works properly, Workspace ONE UEM will not be able to configure a device to connect to IPSec VPN with a certificate.