Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Anyconnect w Windows 7 certificate error

Ok so here's the scoop , I have a VPN setup on out ASA5510 , authentication is happening via local user database and local certificate authority. Everything works as it should on a windows XP system , install the certificate , launch Anyconnect , the VPN connects just fine.

On a windows 7 Pro installation , I can launch the VPN via web browser and connect to the VPN just fine. When I try to connect the VPN directly from Anyconnect software via the start menu I get a certificate validation Failure error .Have tried reimporting the certificate, regenerating etc... the cert is in the Certificate store .  I upgraded to Anyconnect 2.4 and still get the same issue, Anyone run into this problem ?

Cisco Employee

Re: Anyconnect w Windows 7 certificate error

Can you provide the anyconnect event logs and the following debugs from ASA

debug webvpn 128

deb web svc 128

deb crypto ca 255

New Member

Re: Anyconnect w Windows 7 certificate error


Same error for us.

The Certificate used on the ASA outside interface is from our own CA-server.

XP clients works just fine connecting with Anyconnect.

But when using Windows 7 we direct get the error "Unable to process response from ..." and "Certificate validation failure".

Could it be that the Anyconnect client can't access the certstore correct on Windows 7 in certain circumstances?

Anyone recognise this?

Root cert for our domain and CA is in the certstore.

As a side note, the latest full IPSec client works great on Windows 7. This is also using computercerts from our CA.

The debug didn't give that much on the ASA.

Attaching some selected errors from the Anyconnect part of the eventviever.

(Company info x'ed out below)

Function: ConnectMgr::processIfcData
File: .\ConnectMgr.cpp
Line: 2239
Certificate authentication requested from gateway, no valid certs found in users cert store.


Function: ConnectMgr::setPromptAttributes
File: .\ConnectMgr.cpp
Line: 3032
Invoked Function: setPromptAttributes
Return Code: -33554423 (0xFE000009)
Error text:
Certificate Validation Failure


Function: ConnectMgr::getNextClientCert
File: .\ConnectMgr.cpp
Line: 3605
Invoked Function: ConnectMgr :: getNextClientCert
Return Code: 0 (0x00000000)
Description: Subject Name:
Common Name :
Domain      :
Company     :
Department  :
Issuer Name : DC=net, DC=xxx, DC=xxx, CN=xxx


Function: ConnectMgr::processIfcData
File: .\ConnectMgr.cpp
Line: 1703
Invoked Function: ConnectMgr::processIfcData
Return Code: 12044 (0x00002F0C)
Description: A certificate is required to complete client authentication

Connection attempt failed.  Please try again.

All help appriceated.



New Member

Re: Anyconnect w Windows 7 certificate error

I have a client that is seeing the same exact issue.  There are two CA's a Root and a

Sub CA.  If we manually request a certificate via the Certificate Snap-in we

are able to login fine.  Yet the Machine certificate issued via group policy will not work.

The main difference we see when using the AD generated Certificate we get the following error in the event log.

Function: ConnectIfc::send
File: .\ConnectIfc.cpp
Line: 897
Invoked Function: ConnectIfc::connect
Return Code: 0 (0x00000000)
Description: Auth Cookie acquired

Thanks for the help out

New Member

Anyconnect w Windows 7 certificate error

I struggled with this issue and it only occurred on Windows 7 machines. The solution for myself was a one line command to allow the certificates to be used on the outside interface.

ssl certificate-authentication interface port 443

Just in case anyone is still having issues with the Certificate Validation error.

New Member

Anyconnect w Windows 7 certificate error

I found the issue in our environment to be that Anyconnect could not access the computer Cert in the cert store for Windows 7.

After also generating usercert for people the issue was resolved.

We have All in the .XML file but that didn't help.

Using usercert was actually better for us the way we decided to proceed in the switch from IPSEC VPN client to Anyconnect.

Hope this helps someone out there.

New Member

Anyconnect w Windows 7 certificate error

We were already using User Certs and would get the error "Certificate Validation Failure" from the Cisco Anyconnect client. If we launched the sesssion from the SSL page, the install would complete and anyconnect would connect without an issue. On the second attempt, launching the Anyconnect client, we would get the "Certificate Validation Failure" and because only clients with valid certs can connect, the session was terminated.

The solution for the Windows 7 clients was to apply the command

ssl certificate-authentication interface port 443"

CreatePlease to create content