Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5076
Views
0
Helpful
7
Replies

Anyconnect Error when using SBL

roadzy
Level 1
Level 1

‎07-27-2013 11:48 PM - edited ‎02-21-2020 07:03 PM

I keep getting this error:

AnyConnect cannot confirm it is connected to your secure gateway. The local network 
may not be trustworthy. Please try another network.

I can log in to windows 7, connect using the any connect client and it works fine.  But I will log out, lauch the any connect client to connect before logging in to windows and I get the error above.  I've read everything I can find and am out of ideas.  I've installed the asa certificate in to the Truested Root store and it that took away the untrusted connection message when connecting from

Guides I've looked at:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect22/administration/guide/22admin4.html#wp1008064

http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/admin_swconfig.html#wp1242861

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/user/messages/ac25-vpn-user-msgs.html

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac03vpn.html

https://supportforums.cisco.com/thread/2156081

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_anyconnect.html

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/user/messages/ac30-vpn-user-msgs.html

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/ac03features.html

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp43187

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac09localpolicy.html

So what am I missing?

Thanks!

1 person had this problem
Labels:
0 Helpful
7 Replies 7

k.moyers
Level 1
Level 1

‎07-30-2013 10:11 AM

I am also having this issue with exactly one client on windows xp.  Issue only exists when attempting to sbl.  Client version is 3.1.02040.

0 Helpful

roadzy
Level 1
Level 1
In response to k.moyers

‎08-02-2013 09:35 AM

I ended up giving up since I don't have a support contract and can't put a ticket in for help.  I ended up turning on the feature to stay logged in when logged out.  So I had the users log in vpn then log out and log back in.  Not ideal but at this point, its my only option.

0 Helpful

k.moyers
Level 1
Level 1
In response to roadzy

‎08-02-2013 10:06 AM

I opened a TAC case and will update this thread when resolved.

0 Helpful

roadzy
Level 1
Level 1
In response to k.moyers

‎08-02-2013 10:08 AM

Thanks!  If they need any additional info, just let me know. 

0 Helpful

k.moyers
Level 1
Level 1
In response to roadzy

‎08-22-2013 11:35 AM

The solution in my case was to install the intermediate certificate on the local machine (computer account) in the trusted root store.

0 Helpful

schooldesk
Level 1
Level 1
In response to k.moyers

‎11-07-2013 08:45 AM

How did you install the intermediate certificate? We're using a self-generated certificate on the ASA for the anyconnect connections.

0 Helpful

heiki saaver
Level 1
Level 1
In response to schooldesk

‎01-16-2014 12:59 AM

open mmc.exe via run and then add a computer account certificate snap-in. then you can manage your computer certificates.

after the certificate has been added to your Local Computer Certificate store (note NOT Current User certificate store) you should be fine.

One more thing I noticed is that SBL does not accept IP addresses when connecting to ASA. You must use a domain name. And that domain name must match the subject's CN inside the certificate.

0 Helpful
Customers Also Viewed These Support Documents