AnyConnect 3.0.5080, ASA image 8.4(3) and ExcludeFirefoxNSSCertStore problem

Unanswered Question
Mar 1st, 2012

I have an issue with AnyConnect 3.0.5080 and ASA image 8.4(3) with AnyConnectLocalPolicy.xml in use. The problem appears while authenticating users based on the client certificate + ldap and using AnyConnectLocalPolicy.xml with ExcludeFirefoxNSSCertStore set to true.

There are two consecutive messages that say: AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again. and then The certificate on the secure gateway is invalid. A VPN connection will not be established.

Of course I put CA and clients certs in /opt/.cisco/certificates/... ASA's identity certificate is not self-sign and 100% vaild. I'm using linux machine (Ubuntu 11.10).

As soon as I change ExcludeFirefoxNSSCertStore value from true to false everything works perfectly and AnyConnect uses client pem files located in /opt/.cisco/...

Any idea? My goal is to make client VPN configuration Firefox independent.

Regards,

Gabriel

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
gabriel.skupien.ccig Thu, 03/01/2012 - 05:00

I have just tested scenario where I tried to established VPN connection using cert machine store (/opt/.cisco/certificates/) and ASA local aaa database and I had no firefox installed on the client machine. The result was exactly the same....

AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.

The certificate on the secure gateway is invalid. A VPN connection will not be established.

Is seems that there is no way to successfully establish connection without firefox installed. Can anyone confirm that issue?

Regards,

Gabriel

vadik56@gmail.com Tue, 05/29/2012 - 13:59

Was anyone able to resolve this issue?

I tried to put server's certificate chain into ~/.cisco/certificated/ca/ but it did not help.

gabriel.skupien.ccig Tue, 05/29/2012 - 23:19

Hi Vadim,

  • Can you post your ASA's Identity certificate here? No private key needed of course!
  • Did you import all intermediate CA certs and root CA cert into the ASA cert store?

Gabriel Skupien

vadik56@gmail.com Wed, 05/30/2012 - 11:18

Thank you Gabriel for reply.

I was able to resolve this issue. It turned out to be not related to ExcludeFirefoxNSSCertStore option at all. I got an error due to incorrect format of AnyconnectLocalPolicy.xml file. I took this file from Cisco's documentation@

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac08localpolicy.html. However example is missing quotes on xmlns and xmlns:xsi elements in tag.

VPN client displayed "certificate invalid" error which is why I thought that it can not validate certificate itself:

>> error: The certificate on the secure gateway is invalid. A VPN connection will not be established.

But when I checked syslog I saw a more informative message which prompted me to validate xml against xsd schema.

...

May 30 13:19:13 MYHOST acvpnagent[30662]: Function: startParser File: Xml/CVCSaxParser.cpp Line: 182 Invoked

Function: xmlParseDocument Return Code: -1 (0xFFFFFFFF) Description: unknown

...

May 30 13:19:13 MYHOST acvpnagent[20544]: Termination reason code 59: Connection attempt failed due to certificate problems.

...

Actions

Login or Register to take actions

This Discussion

Posted March 1, 2012 at 3:36 AM
Stats:
Replies:4 Avg. Rating:
Views:1748 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard