03-28-2014 03:43 AM - edited 02-21-2020 07:34 PM
Hi,
I'm facing with a strange issue about Cisco Anyconnect on windows platform. it shows me the message that is attached to this discussion and cannot get online on client side.
I have upgraded to latest ASA and Anyconnect software because of this issue, but the problem still is persist.
ASA : 5525
Software : 9.1(2)
AnyConnect Version : 3.1.05160
please assist me to fix this problem.
I approciate
AliYashar
Solved! Go to Solution.
03-29-2014 07:12 AM
AliYashar,
It appears your certificate is not well-formed for use with Windows browsers. When I inspect the certificate from Chrome, it shows "This certificate has an invalid digital signature.". I also notice your RSA key used to sign the certificate is only 768 bits. I suggest creating a new stronger key (1024 or 2048 bits) and certificate and binding that to your outside interface. While you do that, it also wouldn't hurt to use the same FQDN for the certificate that you use for the portal.
You can follow the procedure here:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107956-renew-ssl.html
..except in Figure 2, check "Generate new self-signed certificate".
Once you have the certificate created, go to:
Configuration –> Remote Access VPN –> Network (client) access –> AnyConnect Connection Profiles
Click Device Certificate
Choose the certificate you created as the one to use for when users HTTPS to this device for the portal and subsequent SSL VPN connection.
03-28-2014 04:56 AM
Do you have the Network Access Manager (NAM) module installed in addition to VPN?
If so, I would suspect you are getting this message from NAM.
03-28-2014 05:22 AM
I have checked the vpn profile configuration, but there is no any option about NAM. how can I find this module ?
03-28-2014 07:58 AM
NAM is an option on the AnyConnect client - not in the profile on the ASA. If you have it installed, your Anyconnect client will look something like the screenshot I've attached below:
If not, the other thing you could be seeing is related to your ASA certificate. You should be using either a certificate from a public CA (or trusted root CA) or have installed the ASA self-signed certificate in your local trusted certificate store. If you haven't done any of those then your would need to uncheck the box "Block Connections to Untrusted Servers" in your VPN Preferences menu of the AnyConnect vlient preferences. See my second screenshot below:
03-28-2014 08:31 AM
03-28-2014 08:37 AM
Ok, so you don't have NAM, just the VPN module.
What kind of certificate is on your ASA? Does the CN (Common Name) in the certificate match the address or name portion of the FQDN you are using to connect?
You can inspect the certificate by browsing to the ASA outside interface and then examine the certificate details using your browser toolbar.
03-28-2014 09:15 AM
The cert typ is self enroled and the cn is different, Mobile and tablets and mac are able to connect.
cn is TakTel-ASA
03-28-2014 11:47 AM
I'm not sure if it's relevant but your AnyConnect VPN client preferences window does not even have a selection for "Enable automatic certificate selection".
I have it and am running the same version 3.1.05160 as you.
If you want to send me a private message with your FQDN I can check it out from my client. Otherwise you might have to open a TAC case.
03-29-2014 12:29 AM
could you please leave an email address here. i send you by email.
03-29-2014 07:12 AM
AliYashar,
It appears your certificate is not well-formed for use with Windows browsers. When I inspect the certificate from Chrome, it shows "This certificate has an invalid digital signature.". I also notice your RSA key used to sign the certificate is only 768 bits. I suggest creating a new stronger key (1024 or 2048 bits) and certificate and binding that to your outside interface. While you do that, it also wouldn't hurt to use the same FQDN for the certificate that you use for the portal.
You can follow the procedure here:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107956-renew-ssl.html
..except in Figure 2, check "Generate new self-signed certificate".
Once you have the certificate created, go to:
Configuration –> Remote Access VPN –> Network (client) access –> AnyConnect Connection Profiles
Click Device Certificate
Choose the certificate you created as the one to use for when users HTTPS to this device for the portal and subsequent SSL VPN connection.
03-29-2014 11:02 AM
I have generated a new CSR and requested for reissued certificate.
I will let you now the result .
Thank You so much
03-29-2014 05:13 PM
Yes, its working fine now :)
Thank You
03-29-2014 07:35 PM
Excellent - glad to hear the good news.
Thanks for the rating.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: