03-01-2012 03:36 AM - edited 02-21-2020 05:55 PM
I have an issue with AnyConnect 3.0.5080 and ASA image 8.4(3) with AnyConnectLocalPolicy.xml in use. The problem appears while authenticating users based on the client certificate + ldap and using AnyConnectLocalPolicy.xml with ExcludeFirefoxNSSCertStore set to true.
There are two consecutive messages that say: AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again. and then The certificate on the secure gateway is invalid. A VPN connection will not be established.
Of course I put CA and clients certs in /opt/.cisco/certificates/... ASA's identity certificate is not self-sign and 100% vaild. I'm using linux machine (Ubuntu 11.10).
As soon as I change ExcludeFirefoxNSSCertStore value from true to false everything works perfectly and AnyConnect uses client pem files located in /opt/.cisco/...
Any idea? My goal is to make client VPN configuration Firefox independent.
Regards,
Gabriel
03-01-2012 05:00 AM
I have just tested scenario where I tried to established VPN connection using cert machine store (/opt/.cisco/certificates/) and ASA local aaa database and I had no firefox installed on the client machine. The result was exactly the same....
AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.
The certificate on the secure gateway is invalid. A VPN connection will not be established.
Is seems that there is no way to successfully establish connection without firefox installed. Can anyone confirm that issue?
Regards,
Gabriel
05-29-2012 01:59 PM
Was anyone able to resolve this issue?
I tried to put server's certificate chain into ~/.cisco/certificated/ca/ but it did not help.
05-29-2012 11:19 PM
Hi Vadim,
Gabriel Skupien
05-30-2012 11:18 AM
Thank you Gabriel for reply.
I was able to resolve this issue. It turned out to be not related to ExcludeFirefoxNSSCertStore option at all. I got an error due to incorrect format of AnyconnectLocalPolicy.xml file. I took this file from Cisco's documentation@
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac08localpolicy.html. However example is missing quotes on xmlns and xmlns:xsi elements in
VPN client displayed "certificate invalid" error which is why I thought that it can not validate certificate itself:
>> error: The certificate on the secure gateway is invalid. A VPN connection will not be established.
But when I checked syslog I saw a more informative message which prompted me to validate xml against xsd schema.
...
May 30 13:19:13 MYHOST acvpnagent[30662]: Function: startParser File: Xml/CVCSaxParser.cpp Line: 182 Invoked
Function: xmlParseDocument Return Code: -1 (0xFFFFFFFF) Description: unknown
...
May 30 13:19:13 MYHOST acvpnagent[20544]: Termination reason code 59: Connection attempt failed due to certificate problems.
...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: