Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5689
Views
0
Helpful
5
Replies

AnyConnect client 3.1.04063 Windows 7 x64 users cannot make ssl connection

Cheryl Krueger
Level 1
Level 1

‎01-08-2014 07:49 PM - edited ‎02-21-2020 07:26 PM

Over the past week several of my users have suddenly found they cannot connect with a previously working client.  After the login banner is accepted they all get an error message "The certificate on the secure gateway is invalid.  A VPN connection will not be established."  Then another message "AnyConnect was not able to establish a conenction to the specified secure gateway.  Please try connecting again."  On the ASA 5540 logs I see successful authentication and then the device is trying to establish a ssl session which is denied and then connection is terminated.

I have verfied that the ssl certificates are valid and are installed in the trusted root certificates location.  I have checked that ICS is disabled.  I have checked that the vpn adapter display name is correct.

Does anyone have any ideas?

Labels:
0 Helpful
5 Replies 5

m.kafka
Level 4
Level 4

‎01-09-2014 09:52 AM

As I don't use Win7 I can't give you detailed steps, at least you are lucky because on Windows there are quite some debugging possibilities and extensive logs. It's quite easy to find with a search engine (site:cisco). Once you have access to the debug traces and logs I will do my best to interpret it for you.

Maybe a Win7 update changed some policies how certificates are handled...

0 Helpful

sauaggar
Level 1
Level 1

‎01-09-2014 11:29 AM

Hi ,

If you want to use self signed certificate for ASA and still wan to use anyconnect then try the below mentioned workaround.

Browse to Anyconnect client---VPN-----preferences

and uncheck the BLOCK CONNECTION TO UNTRUSTED server checkbox.

If you are using self signed certificates on the ASA then even if you install them in the trusted root certificate store on the client machine you would continue to get that warning. You would have to use third party ID certificate for the ASA to resolve that issue.

0 Helpful

Cheryl Krueger
Level 1
Level 1
In response to sauaggar

‎01-10-2014 11:51 AM

We are not using a self signed cert.  We have a cert issued by the DoD.  It seems like a user who had previously connected and is on Windows 7 x64 will not be able to connect.  Users who have never connected and browse to the site will be able to successfully connect.

Additional information:  I have cleared all DoD related certs and the server cert from the certmgr.msc on an affected Windows box.  Uninstalled the AnyConnect application and all remnant files.  Cleared SSL cache on both IE and Firefox browsers.  I rebooted then tried connecting via the web address but am receiving the same issue.

0 Helpful

Cheryl Krueger
Level 1
Level 1
In response to Cheryl Krueger

‎01-14-2014 11:20 AM

I wanted to share the fix we found to this problem.  We installed the FBCA Cross-Certificate Remover 1.0 tool from the IASE web site under the Certificate Validation section.  Hope this helps someone else out there that may have a similar problem.


0 Helpful

Jayesh Nair
Level 1
Level 1

‎06-27-2014 06:10 PM

I had the same problem. I went to services.msc and tried to stop/start the BFE service, although it couldn't stop the service, I went back and tried connecting and it started working. Hope it helps.

0 Helpful
Customers Also Viewed These Support Documents