Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Anyconnect Always-on and certificate validation error

Hey guys. Hope that somebody have some input on this.

The Case:

The customer uses AnyConnect Always-on. There is a public SSL certificate installed on the outside interface. They have machine certificates on their PCs. I have installed a identity certificate for the ASA, issued from the customers internal certificat server. The connection profile is setup to valided the clients certificates and user credentials

The problem:

When they connect they get the following error: No valid certificates available for authentication. (AnyConnect cannot confirm it is connected to your secure gateway.  The  local network may not be trustworthy.  Please try another network). If I change the certificate located on outside interface to the certificate issued by their internal certificate server, then there is no problems validate the certificate. The problem is for those who now uses SSL clientless VPN, they will start getting certificate error because the internal certificate is not public known.

If I do not enable Alwayson, and the public certificate is on the ourside interface, it can valided the clients certificats fine. But if I enable alwayson again, it can not valided the client certificates, exepted if I chooses to put the private certificate on the outside interface???

My question is quit simple :-), is it not possible to have a public certicate on the outside interface, and still be able to valided client certificate issued from an internal certificate server when running anyconnect Alwayson??

Buy the way we are running: ASA 9.1(2)8 Anyconnect 3.1.04066-k9 on windows machines?

Hoping somebody can help.

Everyone's tags (3)
New Member

Anyconnect Always-on and certificate validation error

Did you play with these settings in the profile:



There's also this link that discusses a way to change the automatic certificate detection which might matter:

New Member

Anyconnect Always-on and certificate validation error

Hi Steven

Yes, I did play with the settings in the XML Profile, it is set to:



Regarding the link you posted, i don't think that it is the same problem. Certificate validation works, as long as I don't enable anyconnect always-on.

CreatePlease login to create content