Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco AnyConnect 3.0.08057 certificate validation failure

Hi,

In order to let you know :

Does someone know if Cisco AnyConnect v3.0.08057 have a bug with certificate authentication ?

We have an ASA5520, IOS 8.4.3, and several tunnel-groups available. One of them use a certificate-based

authentication.

We are using Cisco AnyConnect v3.0.07059 without any problems with the tunnel-group using

certificate-based authentication.

However with the latest version of Cisco AnyConnect (v3.0.08057) it does'nt work. It seems AnyConnect

does'nt find a valid certificate for authentication. That's quite strange tbh.

And as I am under Windows 7, it's not possible to currently know where AnyConnect is really looking for certificates.

Did someone encounter a similar problem ?

Thanks.

Marc

22 REPLIES
New Member

Re: Cisco AnyConnect 3.0.08057 certificate validation failure

Hi Marc-Olivier,

I have the same issue here. It seems like there's a bug in that specific version. The bug is cross platform since it's present in the official linux client as well.

I started to experience this issue after the updated version of the client got automatically pushed via the ASA (I had previously updated the package on the appliance for all operating systems).

New Member

Re: Cisco AnyConnect 3.0.08057 certificate validation failure

Ok. Thanks for confirmation.

New Member

Re: Cisco AnyConnect 3.0.08057 certificate validation failure

I'm starting to think this is not exactly a bug, but a consequence of the new version enforcing some stricter checks. These release notes might be a clue:

http://www.cisco.com/en/US/customer/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html#wp1577925

An extract from that link:

Changes to Server Certificate Verification

The following behavioral changes are being made to server certificate verification:

SSL  and IPSec connections from the AnyConnect client to the secure gateway  being performed using the FQDN of the secure gateway will no longer make  a secondary server certificate verification with the FQDN's resolved IP  address for name verification, if the initial verification using the  FQDN fails.

SSL  and IPSec connections from the AnyConnect client to the secure gateway  require server certificates to contain Key Usage attributes of Digital  Signature and Key Encipherment.

SSL  connections from the AnyConnect client to the secure gateway require  server certificates to contain an Enhanced Key Usage attribute of Server  Authentication.

New Member

Re: Cisco AnyConnect 3.0.08057 certificate validation failure

You may be right ...

However, here (in your extract) we are speaking about the verification of the server certificate.

In my case, it "seems" it's more likely a client certificate error

The AnyConnect client says (or Windows logs in fact) : no valid certificate found for authentication.

In your link we can also read :

We strongly recommend you enable Strict Certificate Trust for the AnyConnect client for the following reasons : ...

... but I never did it.

Well at the moment we are staying with AnyConnect v3.0.07059, even if it's no more available

as a download from the Cisco website (they only let the latest version).

New Member

Re: Cisco AnyConnect 3.0.08057 certificate validation failure

Good point. We'll run a few tests here to try to find the culprit. I'll keep you posted!

New Member

Cisco AnyConnect 3.0.08057 certificate validation failure

We have the same issue after upgrade to 3.0.08057..  Please let me know if there is any solution to this.

New Member

Cisco AnyConnect 3.0.08057 certificate validation failure

I have exactly the same issue and I use the local ca of the asa.

I noticed that the certificate issued to the user by the local asa does not have the Enhanced Key Usage attribute of Server Authentication in the certifiacte details. so it must be the local asa having the problem, is there a way to add this in the local ca of the asa

New Member

Cisco AnyConnect 3.0.08057 certificate validation failure

I'm pretty sure Cisco is reading this. I guess we can only hope for a Cisco tech to add some input to this discussion. Clearly, this is not an isolated case.

Also, I wanted to downgrade but, as stated by Marc-Olivier, there are no older 3.0.x versions available on the website.

New Member

Cisco AnyConnect 3.0.08057 certificate validation failure

found a soultion to this, you have to create a profile and in the certificate matching tab you must tick the the key usage were applied according to the certificate you have on the PC. disable the certifcate authetication on the connection profile, connect one time with aaa only so to get the new settings for the anyconnect, then put back the certificate authetication and it should work

New Member

Cisco AnyConnect 3.0.08057 certificate validation failure

We succeeded to make it work, yet something is confusing me.


In our case, the problem exists in the client certificate.
We regenerated the client certificate to contain some of the values required by the new anyconnect version:

Key Usage attributes: Digital  Signature, Key Encipherment.

Enhanced Key Usage attributes: Client Authentication.

The attached image shows how the certificate looks on a Windows 7 client, and the two values are present:

As you can see, the Enhanced key is showing an OID value corresponding to the Client Authentication (1.3.6.1.5.5.7.3.2), while the server authentication OID is absent in this case (1.3.6.1.5.5.7.3.1). These informations have been found here:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml#wp39121

Search in particular for the "5.2.2 AAA Server Certificate Requirements" section in that document, mentioning the EKU field.

It indeed works for us but still doesn't make sense, since the release notes are mentioning the Enhanced Key "Server Authentication" on the ASA side as a requirement, not the "Client Authentication" on the client side.

I'll try to provide more details.

New Member

Cisco AnyConnect 3.0.08057 certificate validation failure

I've just got off the phone with Cisco and a very helpful guy called Herbet Baerten who assisted me in a work around for this as you've all identified it is a problem with the latest anyconnect using stricter checking and requiring a key usage field which is not generated (presently) on the LOCAL CA.

CSCua89091    the local CA needs to support EKU and other necessary attributes

CSCua89081    DOC: Anyconnect requires specific Extended Key Usage in client certs

To work round this under the anyconnect client profile in "Certificate Matching"  we added a Distinguished Name check in our case we matched "O" to the company name which was distributed in the client certificate.

New Member

Cisco AnyConnect 3.0.08057 certificate validation failure

Hi Byron,

Somehow I am stil having same issue after applying your work around on the ASA.  do you need to change anything on the client certificate site?

Thanks!

Lynn

New Member

Cisco AnyConnect 3.0.08057 certificate validation failure

Hi Lynn,

Did you ever get it to work? I'm having the same issue. I tried Certificate Matching, but didn't help. I'm not sure whatelse is missing.

Thanks,

Tao

New Member

Cisco AnyConnect 3.0.08057 certificate validation failure

Hi Tao,

No.. We did not get it work. Opened a case with Cisco, and the tech said,both server and client certificate needs to have EKU field.  I am going to wait for next release of anyconnect to test it out again.

Lynn

New Member

Cisco AnyConnect 3.0.08057 certificate validation failure

Did Cisco say when the next release will be out? And if it will address the strict certificate requirement issue?

New Member

Cisco AnyConnect 3.0.08057 certificate validation failure

No. Cisco did not say anything.

New Member

Re: Cisco AnyConnect 3.0.08057 certificate validation failure

When you first go through the web portal and install anyconnect did it download the correct client profile xml?  If it hasn't done this this then obviously the client won't be configured correctly in future.

This is the section from our xml, where we match the Company Name

       

           

               

                    O

                    Company Name

               

               

       

Are you checking the logs on your client as these are quite chatty, but do help you debug the login process ..

This is the output from the system.log file on my mac.

Aug  3 13:05:43 Odeon.local acvpnui[547]: Message type information sent to the user: Ready to connect.

Aug  3 13:05:43 Odeon.local acvpnagent[62]: getting ipv4 route table.

Aug  3 13:05:44 Odeon.local acvpnui[547]: An SSL VPN connection to yourserver.yourdomain.com has been requested by the user.

Aug  3 13:05:44 Odeon.local acvpnagent[62]: Function: ResolveHostname File: Utility/HostLocator.cpp Line: 560 Resolved yourserver.yourdomain.com to 10.10.10.10

Aug  3 13:05:44 Odeon.local acvpnagent[62]: Writing to hosts file:  10.10.10.10    yourserver.yourdomain.com

Aug  3 13:05:44 Odeon.local acvpnui[547]: Message type information sent to the user: Contacting yourserver.yourdomain.com.

Aug  3 13:05:44 Odeon.local Cisco AnyConnect Secure Mobility Client[547]: State: Disconnected

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: resetCertRegistration File: ConnectMgr.cpp Line: 5317 Invoked Function: ConnectMgr :: resetCertRegistration Return Code: 0 (0x00000000) Description:  Match Key: Extended Match Key: Custom Match Key: Distinguished Name Matching:     Wildcard : Disabled    Operator : EqualMatchCase : Enabled     Name : O    Pattern : Company Name 

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: enumerateCert File: Certificates/FileCertStore.cpp Line: 157 Invoked Function: enumerateCert Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND The /Users/******/.cisco/certificates/client/ directory was not found.

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: Enumerate File: Certificates/FileCertStore.cpp Line: 118 Invoked Function: Enumerate Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: enumerateCert File: Certificates/FileCertStore.cpp Line: 157 Invoked Function: enumerateCert Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND The /opt/.cisco/certificates/client/ directory was not found.

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: Enumerate File: Certificates/FileCertStore.cpp Line: 118 Invoked Function: Enumerate Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: getCertList File: ApiCert.cpp Line: 259 Number of certificates found: 1

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: setConnectionData File: ConnectMgr.cpp Line: 1537 Certificate retrieved from preferences: Subject Name: C=GB, O=Company Name, CN=Systems, CN=byronjones Issuer Name : CN=yourserver.yourdomain.com Store : Mac Keychain

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: ResolveHostname File: Utility/HostLocator.cpp Line: 560 Resolved yourserver.yourdomain.com to 10.10.10.10

Aug  3 13:05:44 Odeon.local acvpnui[547]: Initiating VPN connection to the secure gateway https://yourserver.yourdomain.com

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: getUserName File: CTransportCurlStatic.cpp Line: 1971 PasswordEntry username is ******

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5925 (0xFFFFE8DB) Description: unknown

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: PeerCertVerifyCB File: CTransportCurlStatic.cpp Line: 867 Return success from VerifyServerCertificate

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: getUserName File: CTransportCurlStatic.cpp Line: 1971 PasswordEntry username is ******

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5925 (0xFFFFE8DB) Description: unknown

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: handleRedirects File: ConnectIfc.cpp Line: 773 Redirecting to: https://yourserver.yourdomain.com/+webvpn+/index.html

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: getUserName File: CTransportCurlStatic.cpp Line: 1971 PasswordEntry username is ******

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5925 (0xFFFFE8DB) Description: unknown

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: PeerCertVerifyCB File: CTransportCurlStatic.cpp Line: 867 Return success from VerifyServerCertificate

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: getUserName File: CTransportCurlStatic.cpp Line: 1971 PasswordEntry username is ******

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5925 (0xFFFFE8DB) Description: unknown

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:47 Odeon.local acvpnui[547]: Function: setPromptAttributes File: ConnectMgr.cpp Line: 3622 The certificate authority is enabled on the secure gateway.

Aug  3 13:05:47 Odeon.local acvpnui[547]: Function: getPreference File: PreferenceInfoBase.cpp Line: 267 Invoked Function: getPreference Return Code: 0 (0x00000000) Description: Invalid preference 43

Aug  3 13:05:47 --- last message repeated 2 times ---

Aug  3 13:05:47 Odeon.local acvpnui[547]: Function: isSWEnabled File: SDIMgr.cpp Line: 1018 Invoked Function: PreferenceMgr::getPreference Return Code: -30277621 (0xFE32000B) Description: PREFERENCEMGR_ERROR_PREFERENCE_NOT_FOUND SafeWordSofTokenIntegration

Aug  3 13:05:47 Odeon.local acvpnui[547]: Function: ProcessPromptData File: SDIMgr.cpp Line: 327 Authentication is not token based (OTP).

Aug  3 13:05:47 Odeon.local acvpnui[547]: Message type prompt sent to the user: Please enter your username and password.

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: userResponse File: ConnectMgr.cpp Line: 1051 Processing user response.

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: getUserName File: CTransportCurlStatic.cpp Line: 1971 PasswordEntry username is ******

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5925 (0xFFFFE8DB) Description: unknown

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: PeerCertVerifyCB File: CTransportCurlStatic.cpp Line: 867 Return success from VerifyServerCertificate

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: getUserName File: CTransportCurlStatic.cpp Line: 1971 PasswordEntry username is ******

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5925 (0xFFFFE8DB) Description: unknown

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:52 Odeon.local acvpnui[547]: Function: send File: ConnectIfc.cpp Line: 1024 Auth Cookie acquired

Aug  3 13:05:52 Odeon.local acvpnui[547]: Function: send File: ConnectIfc.cpp Line: 1032 Config Cookie acquired

Aug  3 13:05:52 Odeon.local acvpnui[547]: Function: processIfcData File: ConnectMgr.cpp Line: 2524 Authentication succeeded

Aug  3 13:05:52 Odeon.local acvpnui[547]: VPN state: Connecting Network state: Network Accessible Network control state: Network Access: Available Network type: Undefined

Aug  3 13:05:52 Odeon.local acvpnui[547]: Message type information sent to the user: Establishing VPN session...

Aug  3 13:05:52 Odeon.local acvpnui[547]: The profile configured on the secure gateway is: working.xml

Aug  3 13:05:52 Odeon.local acvpnui[547]: Function: getUpdateFileContent File: ConnectIfc.cpp Line: 1337 Update file located

Aug  3 13:05:52 Odeon.local acvpnui[547]: Function: launchCachedDownloader File: ConnectMgr.cpp Line: 6392 Launching Cached Downloader: path: '/opt/cisco/anyconnect/bin/vpndownloader.app/Contents/MacOS/vpndownloader' cmd:  '"-ipc    gc    -cd"'

Aug  3 13:05:52 Odeon.local Cisco AnyConnect Secure Mobility Client[547]: State: Connecting

Aug  3 13:05:52 Odeon.local acvpnui[547]: Function: launchCachedDownloader File: ConnectMgr.cpp Line: 6412 Invoked Function: ConnectMgr :: launchCachedDownloader Return Code: 0 (0x00000000) Description: Successfully launched the cached downloader

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Cisco AnyConnect Secure Mobility Client Downloader started, version 3.0.08057

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Function: setAttribute File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../../Api/HostInitSettings.cpp Line: 349 Invoked Function: setAttribute Return Code: -33554423 (0xFE000009) Description: GLOBAL_ERROR_UNEXPECTED Invalid preference ID or not handling attributes for element UseStartBeforeLogon

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Function: setAttribute File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../../Api/HostInitSettings.cpp Line: 349 Invoked Function: setAttribute Return Code: -33554423 (0xFE000009) Description: GLOBAL_ERROR_UNEXPECTED Invalid preference ID or not handling attributes for element AutomaticCertSelection

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Function: setAttribute File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../../Api/HostInitSettings.cpp Line: 349 Invoked Function: setAttribute Return Code: -33554423 (0xFE000009) Description: GLOBAL_ERROR_UNEXPECTED Invalid preference ID or not handling attributes for element ClearSmartcardPin

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Function: setAttribute File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../../Api/HostInitSettings.cpp Line: 349 Invoked Function: setAttribute Return Code: -33554423 (0xFE000009) Description: GLOBAL_ERROR_UNEXPECTED Invalid preference ID or not handling attributes for element RSASecurIDIntegration

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Function: loadProfiles File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../../Api/ProfileMgr.cpp Line: 148 Loaded profiles: /opt/cisco/anyconnect/profile/working.xml

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Current Preference Settings: ServiceDisable: false CertificateStoreOverride: false CertificateStore: User ShowPreConnectMessage: false AutoConnectOnStart: false MinimizeOnConnect: true LocalLanAccess: true AutoReconnect: true AutoReconnectBehavior: DisconnectOnSuspend AutoUpdate: true ProxySettings: Native AllowLocalProxyConnections: true PPPExclusion: Disable PPPExclusionServerIP:  AutomaticVPNPolicy: false TrustedNetworkPolicy: Disconnect UntrustedNetworkPolicy: Connect TrustedDNSDomains:  TrustedDNSServers:  AlwaysOn: false ConnectFailurePolicy: Closed AllowCaptivePortalRemediation: false CaptivePortalRemediationTimeout: 5 ApplyLastVPNLocalResourceRules: false AllowVPNDisconnect: true EnableScripting: false TerminateScriptOnNextEvent: false EnableAutomaticServerSelection: false AutoServerSelectionImprovement: 20 AutoServerSelectionSuspendTime: 4 AuthenticationTimeout: 12

Aug  3 13:05:52 Odeon.local acvpnui[547]: Function: processDnldrArgsRequest File: ConnectMgr.cpp Line: 11881 Determine proxy: false

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Function: setHostnameAndPort File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../DownloaderArgs.cpp Line: 428 Defaulting to port 443

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Connecting to yourserver.yourdomain.com.

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Authorized Server List is not defined in local policy and the default administrative domain incisivemedia.com is specified in global preferences. Treating yourserver.yourdomain.com as authorized.

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Software updates from authorized gateway are allowed. Any configured local policy software and VPN profile locks do not apply.

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Checking for profile updates...

Aug  3 13:05:52 Odeon.local acvpnui[547]: Message type information sent to the user: Checking for profile updates...

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Skipping update of working.xml because an up-to-date version is already installed.

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Loading preferences for the current user from profile working.xml

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Current Preference Settings: ServiceDisable: false CertificateStoreOverride: false CertificateStore: User ShowPreConnectMessage: false AutoConnectOnStart: false MinimizeOnConnect: true LocalLanAccess: true AutoReconnect: true AutoReconnectBehavior: DisconnectOnSuspend AutoUpdate: true ProxySettings: Native AllowLocalProxyConnections: true PPPExclusion: Disable PPPExclusionServerIP:  AutomaticVPNPolicy: false TrustedNetworkPolicy: Disconnect UntrustedNetworkPolicy: Connect TrustedDNSDomains:  TrustedDNSServers:  AlwaysOn: false ConnectFailurePolicy: Closed AllowCaptivePortalRemediation: false CaptivePortalRemediationTimeout: 5 ApplyLastVPNLocalResourceRules: false AllowVPNDisconnect: true EnableScripting: false TerminateScriptOnNextEvent: false EnableAutomaticServerSelection: false AutoServerSelectionImprovement: 20 AutoServerSelectionSuspendTime: 4 AuthenticationTimeout: 12

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Checking for product updates...

Aug  3 13:05:53 Odeon.local acvpndownloader[10772]: Function: InitNSS File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../../CommonCrypt/Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5977 (0xFFFFE8A7) Description: unknown

Aug  3 13:05:53 Odeon.local acvpndownloader[10772]: Function: CNSSCertStore File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../../CommonCrypt/Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpndownloader[10772]: Function: addNSSStore File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../../CommonCrypt/Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpndownloader[10772]: Function: OpenStores File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../../CommonCrypt/Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpndownloader[10772]: Skipping update of AnyConnect Secure Mobility Client 3.0.08057 because an up-to-date version is already installed.

Aug  3 13:05:53 Odeon.local acvpndownloader[10772]: Checking for customization updates...

Aug  3 13:05:53 Odeon.local acvpndownloader[10772]: Performing any required updates...

Aug  3 13:05:53 Odeon.local acvpnagent[62]: Tunnel initiated by GUI Client.

Aug  3 13:05:53 Odeon.local acvpnagent[62]: Secure Gateway Parameters:  IP Address: 10.10.10.10  Port: 443  URL: "https://yourserver.yourdomain.com:443/CACHE/stc/1/index.html"  Auth method: SSL  Proxy Server: ""

Aug  3 13:05:53 Odeon.local acvpnagent[62]: Initiating Cisco AnyConnect Secure Mobility Client connection, version 3.0.08057

Aug  3 13:05:53 Odeon.local acvpnagent[62]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5925 (0xFFFFE8DB) Description: unknown

Aug  3 13:05:53 Odeon.local acvpnagent[62]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpnagent[62]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpnagent[62]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpnagent[62]: The Primary SSL connection to the secure gateway is being established.

Aug  3 13:05:53 Odeon kernel[0]: utun_ctl_connect: creating interface utun0

Aug  3 13:05:53 Odeon.local acvpnagent[62]: Function: postSocketConnectProcessing File: SslTunnelTransport.cpp Line: 1314 Opened SSL socket from 192.168.1.10 to 10.10.10.10

Aug  3 13:05:53 Odeon.local acvpnagent[10773]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5977 (0xFFFFE8A7) Description: unknown

Aug  3 13:05:53 Odeon.local acvpnagent[10773]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpnagent[10773]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpnagent[10773]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpnagent[10773]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5925 (0xFFFFE8DB) Description: unknown

Aug  3 13:05:53 Odeon.local acvpnagent[10773]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpnagent[10773]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpnagent[10773]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpnui[547]: Message type information sent to the user: Checking for product updates...

Aug  3 13:05:53 Odeon.local acvpnui[547]: Message type information sent to the user: Downloading  - 100%

Aug  3 13:05:53 Odeon.local acvpnui[547]: Message type information sent to the user: Checking for customization updates...

Aug  3 13:05:53 Odeon.local acvpnui[547]: Message type information sent to the user: Performing any required updates...

Aug  3 13:05:53 Odeon.local acvpnui[547]: VPN state: Connecting Network state: Network Accessible Network control state: Network Access: Available Network type: Undefined

Aug  3 13:05:53 Odeon.local acvpnui[547]: Message type information sent to the user: Establishing VPN session...

Aug  3 13:05:53 Odeon.local acvpnui[547]: Message type information sent to the user: Establishing VPN - Initiating connection...

Aug  3 13:05:53 Odeon.local acvpnagent[62]: A SSL connection has been established using cipher RC4-SHA

Note the lines I've highlighted, you can see from there what certificate matching I'm doing and whic certificate matched, also you can see that it's checking my client profile (working.xml) and checks to see if there's any updates from "authorized servers"

Important to note if you've beeen changing the names of your client profiles make sure you remove the old ones from your Profiles directory.

New Member

Re: Cisco AnyConnect 3.0.08057 certificate validation failure

With AnyConnect version 3.1.495 it worked for me after updating the certificate matching in the profile. Selected Key Usage: Digitial_Sigature and EKU: ClientAuth. I also have a DN match configured. This got rid of the dread "Certificate Validation Failure" when the client tries to connect.

Cisco please add a "test" button to the Profile Editor.

New Member

Cisco AnyConnect 3.0.08057 certificate validation failure

When you add self-signed cert to the client, I am assuming this only happens win7, the non-priv user does not have permission to the c:\programdata\microsoft\crypto\rsa\machinekeys\of the  cert.  I had to add Authenticated Users with READ permission to this file. Otherwise I had to run the Cisco ANYconnect client AS ADMINISTRATOR. Hope this helps, not real solution but this appears to be the problem at least for my company.  Using client 3.1.01065

New Member

This did not work for me

This did not work for me using self-signed auto-generated computer certificates, with Windows Server 2012 R2 and Win 7 machines, but it was the only response anywhere that put me on the right track.  I spent weeks trying to get two factor authentication with AD Certificate Services and AD credentials with AnyConnect working until I finally figured out the solution, so I hope this helps someone out.

 

Run the MMC snap in as Administrator, select Certificates, then Machine Account, then Local Computer.

Right click on the auto-generated certificate in Personal and go to All Tasks -> Manage Private Keys

Give the user access to the private key.

AnyConnect will now find the certificate for that user without having to be run as Administrator.

New Member

Finally works!!! thank you!

Finally works!!! thank you Jason!  Although when the certificate renews.... I have the same problem as the permissions revert to default. 

New Member

I added this line to my

I added this line to my config and my certificate error went away and I was able to connect just fine.

ssl trust-point ASDM_TrustPoint0 outside

Hope this helps,

Rich

151563
Views
10
Helpful
22
Replies