Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Anyconnect Server Certificate Problem on Windows 2008


I'm new to Cisco, so please bear with me.

But right now I'm trying to get Anyconnect 3.0.08057 running on a 5510 with 8.3 (1) on a Windows 2008 R2 Server running terminal services. I know it's not officialy supported, but for a VPN work around to another site we're attempting using Anyconnect SSL VPN. I've made a test terminal server and it works beautifully. However, when I attempt with our production we get this error after entering my username and password:

The certificate on the secure gateway is invalid. A VPN connection will not be established.

Comparing event logs with a working 2008 Server and this one shows that it's disconnecting because of:

Function: CCertOpenSSLAdapter::verifyServerCertificate

File: .\CertOpenSSLAdapter.cpp

Line: 918

Invoked Function: CCertHelper::CheckServerCertThumbprintAlt

Return Code: -31391732 (0xFE21000C)


I've made sure Strict Cert Trust is disabled and I've tried Cert Store Override but it never works on that specific box. I've also tried to load the cert (a self-signed) onto the Cisco Certstore as well as the machine and user cert stores but it never works.

I was wondering if anyone has seen this before or can point me to a right direction. Let me know if you need to see any specific part of the config.



Everyone's tags (4)

Re:Anyconnect Server Certificate Problem on Windows 2008


Are you doing certificate authentication?

Does it happen with username and password authentication?


Sent from Cisco Technical Support Android App

New Member

Re:Anyconnect Server Certificate Problem on Windows 2008

Hi Javier,

I am not doing cert authentication and it's happening with using local authentication using a username and password. Again, it only happens on a singe machine. It seems that the connection is failing when Anyconnect tries to validate the cert it has for the ASA with the one in its cert store (I have no idea where it would be located) and fails when the hash's don't match. Although that's only a guess, but I think a reasonable one at this point.