Anyconnect w Windows 7 certificate error

Unanswered Question

Ok so here's the scoop , I have a VPN setup on out ASA5510 , authentication is happening via local user database and local certificate authority. Everything works as it should on a windows XP system , install the certificate , launch Anyconnect , the VPN connects just fine.


On a windows 7 Pro installation , I can launch the VPN via web browser and connect to the VPN just fine. When I try to connect the VPN directly from Anyconnect software via the start menu I get a certificate validation Failure error .Have tried reimporting the certificate, regenerating etc... the cert is in the Certificate store .  I upgraded to Anyconnect 2.4 and still get the same issue, Anyone run into this problem ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Asim Malik Fri, 08/20/2010 - 14:06
User Badges:
  • Cisco Employee,

Can you provide the anyconnect event logs and the following debugs from ASA


debug webvpn 128

deb web svc 128

deb crypto ca 255

robert-olsson Wed, 09/29/2010 - 08:07
User Badges:

Hi,


Same error for us.

The Certificate used on the ASA outside interface is from our own CA-server.

XP clients works just fine connecting with Anyconnect.


But when using Windows 7 we direct get the error "Unable to process response from ..." and "Certificate validation failure".


Could it be that the Anyconnect client can't access the certstore correct on Windows 7 in certain circumstances?

Anyone recognise this?

Root cert for our domain and CA is in the certstore.


As a side note, the latest full IPSec client works great on Windows 7. This is also using computercerts from our CA.



The debug didn't give that much on the ASA.


Attaching some selected errors from the Anyconnect part of the eventviever.

(Company info x'ed out below)


------------------------------
Function: ConnectMgr::processIfcData
File: .\ConnectMgr.cpp
Line: 2239
Certificate authentication requested from gateway, no valid certs found in users cert store.

------------------------------

Function: ConnectMgr::setPromptAttributes
File: .\ConnectMgr.cpp
Line: 3032
Invoked Function: setPromptAttributes
Return Code: -33554423 (0xFE000009)
Description: GLOBAL_ERROR_UNEXPECTED
Error text:
Certificate Validation Failure

------------------------------

Function: ConnectMgr::getNextClientCert
File: .\ConnectMgr.cpp
Line: 3605
Invoked Function: ConnectMgr :: getNextClientCert
Return Code: 0 (0x00000000)
Description: Subject Name: CN=MININT-0BJVK6E.xx.xxx.net
Common Name : MININT-0BJVK6E.xx.xxx.net
Domain      :
Company     :
Department  :
Issuer Name : DC=net, DC=xxx, DC=xxx, CN=xxx

------------------------------

Function: ConnectMgr::processIfcData
File: .\ConnectMgr.cpp
Line: 1703
Invoked Function: ConnectMgr::processIfcData
Return Code: 12044 (0x00002F0C)
Description: A certificate is required to complete client authentication

Connection attempt failed.  Please try again.



All help appriceated.


Regards

//Robert

jdismukes Wed, 09/29/2010 - 13:57
User Badges:

I have a client that is seeing the same exact issue.  There are two CA's a Root and a

Sub CA.  If we manually request a certificate via the Certificate Snap-in we

are able to login fine.  Yet the Machine certificate issued via group policy will not work.


The main difference we see when using the AD generated Certificate we get the following error in the event log.


Function: ConnectIfc::send
File: .\ConnectIfc.cpp
Line: 897
Invoked Function: ConnectIfc::connect
Return Code: 0 (0x00000000)
Description: Auth Cookie acquired


Thanks for the help out


kevinm2264 Fri, 01/27/2012 - 05:18
User Badges:

I struggled with this issue and it only occurred on Windows 7 machines. The solution for myself was a one line command to allow the certificates to be used on the outside interface.


ssl certificate-authentication interface port 443


Just in case anyone is still having issues with the Certificate Validation error.

robert-olsson Fri, 01/27/2012 - 05:51
User Badges:

I found the issue in our environment to be that Anyconnect could not access the computer Cert in the cert store for Windows 7.

After also generating usercert for people the issue was resolved.


We have All in the .XML file but that didn't help.


Using usercert was actually better for us the way we decided to proceed in the switch from IPSEC VPN client to Anyconnect.


Hope this helps someone out there.

kevinm2264 Fri, 01/27/2012 - 06:05
User Badges:

We were already using User Certs and would get the error "Certificate Validation Failure" from the Cisco Anyconnect client. If we launched the sesssion from the SSL page, the install would complete and anyconnect would connect without an issue. On the second attempt, launching the Anyconnect client, we would get the "Certificate Validation Failure" and because only clients with valid certs can connect, the session was terminated.


The solution for the Windows 7 clients was to apply the command


ssl certificate-authentication interface port 443"

Actions

This Discussion