Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1788
Views
0
Helpful
4
Replies

AnyConnect 3.1.04066 certificate issuses

Fredrik Mansson
Level 1
Level 1

‎09-10-2013 03:59 AM - edited ‎02-21-2020 07:08 PM

Hello,

I use an ASA5505 running ASA verion 9.1.(2).

I upgraded my AnyConnect packages to 3.1.04066 (win and osx) from 3.1.0.04059 yesterday and now I can no longer connect to the ASA with my OSX-client. Windows client still works fine and connects to the ASA.

The ASA is using a self-signed certificate and no other changes have been made but changing the webdeployment-packages containing the client for Windows and OSX.

I get two errormessages:

First:

error1.jpg

Second:

error2.jpg

Any thoughts on this problem?

I have tried to remove the .anyconnect file under the users home folder in OSX.

I have reinstalled the client on the OSX-computer

Regenerated a new certificate on the ASA and that certificate works fine with the wondows client but no luck with OSX.

Best regards

// Fredrik M

Labels:
0 Helpful
4 Replies 4

Michael Muenz
Level 5
Level 5

‎09-11-2013 01:16 AM

Have you checked this one:

https://tools.cisco.com/bugsearch/bug/CSCug13458/?referring_site=ss

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
0 Helpful

Fredrik Mansson
Level 1
Level 1
In response to Michael Muenz

‎09-11-2013 11:23 PM

I red about the bug but could not find the appropriate certificate in the keychain-access application to do a Always trust so no luck there.

Downgraded the OSX-client back to 3.1.0.04059 and then everything works again for OSX-users. But I ket the new one for Windows where the new version works just fine.

I haven't tried if I get the same problem with a public certificate, the ASA I'm working on right now only uses self-signed certificates generated on the ASA.

/ Fredrik

0 Helpful

jmbuszta
Level 1
Level 1
In response to Fredrik Mansson

‎09-23-2013 09:55 AM

I am seeing the exact same issue and exact same results.

0 Helpful

solita_admin
Level 1
Level 1

‎10-17-2013 11:36 PM

The problem is with FIPS (Federal Information Processing Standard). On default ASA disables it but in 3.1.04066 OSX client there's a bug that forces it on. FIPS wont accept default self-signed certificates and prevents the connection.

To fix the issue, upgrade or downgrade your client. Currently newest version is 3.1.04072 that also has some improvements for OSX 10.9

The root of the problem is still the default self-signed certificate that anyconnect uses. This might also cause annoying security warning pop-ups whenever a user connects to an ASA with these default certificate settings.

Check this, Example Set 3, Scenario C.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect20/administrative/guide/admin2.html#wp1000596

Had the same problem and this is my impression of the reasons for this problem. Someone can correct me if there's any mistakes.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents