×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Certificate Validation Failure with AnyConnect only on MAC

Unanswered Question
Apr 3rd, 2012
User Badges:

Hi,


I have an anyconnect account set up using version 3.0.5080 and connecting to an ASA 5510 base 8.2(2)17. We are using certificates for authentication. If I try and use the account on a windows machine it all works fine.


However on a mac running Lion if I try and connect via a web browser or already have the anyconnect client loaded and try to connect I always get “certificate Validation Failure”. I double checked the certificate was correct and am sure that is correct as it is the same certificate on the Windows and the mac. After searching online I have also tried editing the anyconnect profile to so it is set “certificate store override”, and put the certificates and key in the “user/.cisco/certificates” and  “/opt/.cisco/certificates” folders.


After further testing, if I change the anyconnect connection profile to “authentication aaa” I can connect fine. Then if I disconnect, change it back to “authentication certificate” I can connect fine the first time, but all the following subsequent efforts I make fail. If I repeat this process this happens each time, I can connect the first time but after that it fails with the same “certificate Validation Failure” error message. When it connects this first time I checked and confirmed that it is definitely using the certificate. I have also tried using both authentication methods (“authentication aaa certificate”) and had the same problem.


This leads me to believe that my configuration is correct and it is some bug in the anyconnect client or the ASA image. I have had a look through bugs and read somewhere that there was a bug on earlier versions of 8.4, but nothing about 8.2. Does anyone have any recommendations of anything else I can try to fix the problem.


Thanks


Stephen

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
stephen harding Tue, 04/03/2012 - 12:22
User Badges:

I found a work around for this where if I import the certificate into firefox and connnect via that it works since firefox it has its own certificate store. So for each time you connect you got to the direct url link for your anyconnect, it will use the anyconnect client off the mac and connect using the cert in the browser. You can then close the browser, but if you disconnect the client the only way to reconnect is to use the browser again.


I guess this proves that safari or the anyconnect client is for some reason not seeing the certificate in the keychain. I still dont know why this is. May try updating to 8.4 to see if it fixes it.

Actions

This Discussion