Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

AnyConnect 3.1.04066 certificate issuses

Hello,

I use an ASA5505 running ASA verion 9.1.(2).

I upgraded my AnyConnect packages to 3.1.04066 (win and osx) from 3.1.0.04059 yesterday and now I can no longer connect to the ASA with my OSX-client. Windows client still works fine and connects to the ASA.

The ASA is using a self-signed certificate and no other changes have been made but changing the webdeployment-packages containing the client for Windows and OSX.

I get two errormessages:

First:

error1.jpg

Second:

error2.jpg

Any thoughts on this problem?

I have tried to remove the .anyconnect file under the users home folder in OSX.

I have reinstalled the client on the OSX-computer

Regenerated a new certificate on the ASA and that certificate works fine with the wondows client but no luck with OSX.

Best regards

// Fredrik M

Everyone's tags (3)
4 REPLIES

AnyConnect 3.1.04066 certificate issuses

Have you checked this one:

https://tools.cisco.com/bugsearch/bug/CSCug13458/?referring_site=ss

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
New Member

AnyConnect 3.1.04066 certificate issuses

I red about the bug but could not find the appropriate certificate in the keychain-access application to do a Always trust so no luck there.

Downgraded the OSX-client back to 3.1.0.04059 and then everything works again for OSX-users. But I ket the new one for Windows where the new version works just fine.

I haven't tried if I get the same problem with a public certificate, the ASA I'm working on right now only uses self-signed certificates generated on the ASA.

/ Fredrik

New Member

AnyConnect 3.1.04066 certificate issuses

I am seeing the exact same issue and exact same results.

New Member

AnyConnect 3.1.04066 certificate issuses

The problem is with FIPS (Federal Information Processing Standard). On default ASA disables it but in 3.1.04066 OSX client there's a bug that forces it on. FIPS wont accept default self-signed certificates and prevents the connection.

To fix the issue, upgrade or downgrade your client. Currently newest version is 3.1.04072 that also has some improvements for OSX 10.9

The root of the problem is still the default self-signed certificate that anyconnect uses. This might also cause annoying security warning pop-ups whenever a user connects to an ASA with these default certificate settings.

Check this, Example Set 3, Scenario C.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect20/administrative/guide/admin2.html#wp1000596

Had the same problem and this is my impression of the reasons for this problem. Someone can correct me if there's any mistakes.

1164
Views
0
Helpful
4
Replies
CreatePlease to create content