Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Anyconnect fails at firs attempt (certificate authentication)


I'm trying to set up vpn with ASA 8.2(5) and Anyconnect 3.0.4235. The goal is  to force user to connect from registered machines only (winXP & win7 x32 and  x64). To do this, I used machine certificates issued by own CA. Certificate  is installed in machine store. I use double authentication (aaa & certificates). Everything works fine, AnyConnect browses cert store, ASA  validating machine certificate, then user is prompted for username/password  and finally if all is correct - connection is established.

My problem is, that for new installation (new host), AnyConnect fails at first connection attempt. If I use aaa authentication only, connection is established, but if I use aaa & certificates - connection fails. The  appropriate .xml profile is predeployed at client host asa well as machine and root certificates.

Important: When first try (aaa auth) succeded, others are always OK (with aaa. certificate or aaa & certificate authentication). Only the first one fails.

The goal is to succesfuly establish connection with aaa & cert.

With DART i get:


Type        : Error

Source      : acvpnagent

Description : Function: CTransportWinHttp::WinHttpCallback

File: .\CTransportWinHttp.cpp

Line: 2150

Invoked Function: WinHttpCallback

Return Code: 12170 (0x00002F8A)

Description: The supplied certificate has been revoked


Certificate is valid for sure, and as I mentioned before, if first use aaa only, the second try is OK. At ASA with debug crypto ca 255 can't see any certificate from client.

Any suggestions?



Everyone's tags (4)
New Member

Anyconnect fails at firs attempt (certificate authentication)

Same with AC 3.0.5080... anyone?

New Member

Anyconnect fails at firs attempt (certificate authentication)

Just wondering if the times are all correct on the ASA and CA server / clients?

I can see the message your getting is

The supplied certificate has been revoked

which may be due to the time being out of sync, pki digital certificates have a defined valid lifetime and if you get the times out of sync the certificate is not valid, this can happen on network devices more commonly without ntp.

New Member

Anyconnect fails at firs attempt (certificate authentication)

Hi Christopher,

Clocks are sync at all devices, we have ntp enabled, and as I mentioned before, certificate is valid for sure. Anyway that log is from DART, at ASA I had:

Client Cert Auth Failed! Embedded CA Server not enabled. Logging out the user.

Generally my problem looks similar like in this thread: but strange is that only the first attempt fails , any following are ok, regardless which method do I use (certs or aaa&certs).



CreatePlease login to create content