Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1651
Views
0
Helpful
2
Replies

Anyconnect Server Certificate Problem on Windows 2008

acheung
Level 1
Level 1

‎07-28-2012 02:01 AM

Hi,

I'm new to Cisco, so please bear with me.

But right now I'm trying to get Anyconnect 3.0.08057 running on a 5510 with 8.3 (1) on a Windows 2008 R2 Server running terminal services. I know it's not officialy supported, but for a VPN work around to another site we're attempting using Anyconnect SSL VPN. I've made a test terminal server and it works beautifully. However, when I attempt with our production we get this error after entering my username and password:

The certificate on the secure gateway is invalid. A VPN connection will not be established.

Comparing event logs with a working 2008 Server and this one shows that it's disconnecting because of:

Function: CCertOpenSSLAdapter::verifyServerCertificate

File: .\CertOpenSSLAdapter.cpp

Line: 918

Invoked Function: CCertHelper::CheckServerCertThumbprintAlt

Return Code: -31391732 (0xFE21000C)

Description: CERTSTORE_ERROR_HASH_MISMATCH

I've made sure Strict Cert Trust is disabled and I've tried Cert Store Override but it never works on that specific box. I've also tried to load the cert (a self-signed) onto the Cisco Certstore as well as the machine and user cert stores but it never works.

I was wondering if anyone has seen this before or can point me to a right direction. Let me know if you need to see any specific part of the config.

Thanks!

Alvin

Labels:
0 Helpful
2 Replies 2

Javier Portuguez
Level 9
Level 9

‎07-28-2012 08:10 AM

Hi,

Are you doing certificate authentication?

Does it happen with username and password authentication?

Thanks

Sent from Cisco Technical Support Android App

0 Helpful

acheung
Level 1
Level 1
In response to Javier Portuguez

‎07-28-2012 02:25 PM

Hi Javier,

I am not doing cert authentication and it's happening with using local authentication using a username and password. Again, it only happens on a singe machine. It seems that the connection is failing when Anyconnect tries to validate the cert it has for the ASA with the one in its cert store (I have no idea where it would be located) and fails when the hash's don't match. Although that's only a guess, but I think a reasonable one at this point.

Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents