AnyConnect w/ Certificate: Certificate invalid for this group

Unanswered Question
Jul 26th, 2010
User Badges:

Hello,


Situation:

  • About 100 VPN Clients allover the world, Version 2.5.0217
  • Using Certificates from a Microsoft CA
  • AnyConnect works fine on almost all computers with XP / Vista / Windows 7
    • On Windows 7 the root certificate must be installed manually (Certificate Web Service using Windows 2003 Server)
  • AnyConnect won't work from some laptops in Australia (Windows 7 Home, IE 8). Error Message Certificate is invalid for this group
    • The same message appears when a certificate is revoked for a working installation
    • I tried the same Root Certificate and Personal Certificate (imported the same fiels) on another computer in Germany: Worked


Could not find any help in the

  • FAQ
  • Troubleshooting Guide
  • Administration Guide


Has anybody experienced such a behaviour?


Facts:

  • Since the Gateway is in Germany, ping times are around 330ms from Australia.
  • We also tried intranet connection and internt connection, same message.


I wonder if there are Security Settings within the Internet Explorer which cause this error. The ASA web access does not work, too. (It asks for the personal certificate, then it won't continue, telling "This page cannot be displayed" in IE 8)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mulatif Wed, 07/28/2010 - 10:19
User Badges:
  • Cisco Employee,

Possibly looks like SSL Handshkae failure, since you cannot connect from the browser also. What client certificate are you presenting to the ASA ? Make sure that the EKU (Enhanced Key Usage) extension in the Client certificate includes the "Client Authentication" capability.

A packet capture for the SSL failure will also help.

Does browser access through any other browser works ? (E.g. Firefox)

sjbdallas Thu, 08/05/2010 - 06:36
User Badges:

Did you get an answer for this?  I'm seeing a similar issue.

hwillenborg Thu, 08/05/2010 - 06:48
User Badges:

Hello Steven,


no, I am sorry. It turned to be a problem if exactly one computer and we decided not to follow this up anymore.


Regards

Holger

hwillenborg Thu, 08/05/2010 - 06:51
User Badges:

Steven,


I had an issue first to install the Root certificates on the Windows 7 machines. Instead of using "Select storage automatically" you have to select it manually (Trusted Root Certification Authorities and if this is not enough, a second time into Intermiediate Cert. Auth.)


Maybe this helps for you


Regards

Holger

Saquib Khan Sun, 01/09/2011 - 09:31
User Badges:

Hi Steve,


Just wondering if you were able to resolve this issue as I am having the same issue ?


I have gotten around the issue by deleting the user in ACS as we use ACS as the radius server. The user is again dynamically created in ACS and the certificate issue disappears, however before deleting the user, I can log in fine from another workstation with my credentials and the issue is not present when logging from a different workstation. There are new anyconnect clients that seem to resolve some certificate issues, but that did not help either. Tried deleting cached and profiles and that did not help either. Deleting the user from ACS is not a good solution.

Thomas Kelly Mon, 07/30/2012 - 08:49
User Badges:

For myself the error was related to Authentication under the Connection Profile.> Advanced

Under the Connection Profile it was configured to Pre-fill Username from Certificate but Use script to select username was configured with -None- so caused the error.


A few years late but hope this helps someone.

Actions

This Discussion

Related Content