Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Anyconnect works in gui but not in cli

Hello,

I'm trying to connect to an unsecured server (with a self signed certificate) using Cisco AnyConnect Secure Mobility Client (version 3.1.00495).

In a test server with x-window installed thus using anyconnect gui I'm able to establish the connection, but when I try to use the cli I can not.

The problem, I think, is that when the vpn client tries to download the connection configuration, it doesn't ask for certificate acceptance (as it does in the initial connection).

This is what happens:

VPN> block 0

block 0

  >> Sucessfully updated preference to allow for untrusted servers

VPN> connect xxx.xxx.xxx.xxx/proj

connect xxx.xxx.xxx.xxx/proj

  >> contacting host (xxx.xxx.xxx.xxx/proj) for login information...

  >> notice: Contacting xxx.xxx.xxx.xxx/proj.

VPN> AnyConnect cannot verify the VPN server: xxx.xxx.xxx.xxx

    - Certificate is from an untrusted source.

Connecting to this server may result in a severe security compromise!

Most users do not connect to untrusted VPN servers unless the reason for the error condition is known.

Connect Anyway? [y/n]: y

Always trust this VPN server and import the certificate? [y/n]: n

  >> Please enter your username and password.

Username: USER

Password: PASS

  >> notice: Please respond to banner.

VPN>

...

UNAUTHORISED ACCESS IS PROHIBITED BY LAW!

accept? [y/n]: y

  >> state: Connecting

  >> notice: Establishing VPN session...

The AnyConnect Downloader is analyzing this computer. Please wait...

The AnyConnect Downloader is performing update checks...

  >> notice: Checking for profile updates...

  >> notice: Checking for product updates...

Failed to get configuration because AnyConnect cannot confirm it is connected to your secure gateway. Contact your system administrator.

  >> error: AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.

  >> notice: Connection attempt has failed.

  >> state: Disconnected

Is there any way to correct this so I can establish the connection via cli?

Thanks in advance.

1 REPLY
Community Member

Anyconnect works in gui but not in cli

Hi,

After a little digging around I found this:

http://blog.bstpierre.org/fixing-certificate-errors-with-cisco-anyconnect

Especially this part worked for me.

Thanks for putting up these notes Brian. I had this same problem (Ubuntu 10.04, AnyConnect 2.5 and 3.0 clients). To make it simpler, I just did 3 steps:

  1. Get the actual certificate name:

    openssl s_client -connect example.com:443  |& sed -n '/^issuer=/s/.*CN=//p'

  2. Launch Firefox (using 12), go to Preferences -> Advanced ->  View Certificates. Scroll down till you see the exact name step 1  printed. Select that cert, then hit Export and save with .pem extension.

  3. sudo cp YourExported.pem /opt/.cisco/certificates/ca/

thanks.

3601
Views
0
Helpful
1
Replies
CreatePlease to create content