Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Anyconnect and Certificate auth using SCEP failing

In short I'm getting the error "AnyConnect cannot confirm it is connected to your secure gateway"

I'm trying to use proxy SCEP, so that the anyconnect client actually enrolls with the CA via the ASA when building the connection, so that the user doesn't have to start going to places manually installing certificates on their machines.

I've been asked by a customer to bolt on to their existing AnyConnect solution I built, certificate authentication. I've built it in a lab on GNS. All goes well, I can get the anyconenct VPN to connect using the local DB users -fine. Then, I've set up a Cisco router as the CA and to auto-enroll, this works fine for the ASA, I get that enrolled and all working well. So it's all looking good at this point, but I cannot get the Anyconnect client to use the certificate like in all the docs I've read and videos I've watched of other people doing it.

I've done the following to set it up after the ASA is enrolled which I believe is correct:

1. Changed the SSL settings on the outside to use the new cert

2. Set the anyconnect profile to use cert and local authentication

3. Under the group policy for anyconnect, I've manually put in the scep url of http://x.x.x.x:80, the same one I enrolled the ASA with

4. Under the Anyconnect client profile I have enabled certificate enrollment and set the same CA url in here too

But as soon as I fire up the Anyconnect session, I get the error "AnyConnect cannot confirm it is connected to your secure gateway" ????

As soon as I go back into the connection profile and drop it back to LOCAL auth, it works fine again?!

Both the ASA and Client PC have reachablility to the CA server.

On a side note, I put the CA server router on the OUTSIDE of the firewall, as I've no idea how the client PC is meant to communicate with it otherwise? If the tunnel isn't built, how can the client get to the CA server located on the inside of the firewall? -That doesn't make sense?

Any advice much appreciated. If there's a guide building this from scratch, that'd be even better!! Most of the guides only show you how to configure SCEP on the ASA, not how to build the rest of the setup including the client and CA server


New Member

Anyconnect and Certificate auth using SCEP failing

I've fixed this and got the solution working with a IOS CA, but failing with a Server 2008 CA. So I'll post antoehr thread for that.