Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3579
Views
10
Helpful
12
Replies

Cisco Anyconnect issue with windows plathform

Go to solution
AliYashar Ladani
Level 1
Level 1

‎03-28-2014 03:43 AM - edited ‎02-21-2020 07:34 PM

Hi,

I'm facing with a strange issue about Cisco Anyconnect on windows platform. it shows me the message that is attached to this discussion and cannot get online on client side.

I have upgraded to latest ASA and Anyconnect software because of this issue, but the problem still is persist.

ASA : 5525

Software : 9.1(2)

AnyConnect Version : 3.1.05160

 

please assist me to fix this problem.

 

I approciate

AliYashar 

1 person had this problem
Labels:
Preview file
23 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to AliYashar Ladani

‎03-29-2014 07:12 AM

AliYashar,

It appears your certificate is not well-formed for use with Windows browsers. When I inspect the certificate from Chrome, it shows "This certificate has an invalid digital signature.". I also notice your RSA key used to sign the certificate is only 768 bits. I suggest creating a new stronger key (1024 or 2048 bits) and certificate and binding that to your outside interface. While you do that, it also wouldn't hurt to use the same FQDN for the certificate that you use for the portal.

You can follow the procedure here:


http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107956-renew-ssl.html


..except in Figure 2, check "Generate new self-signed certificate".

Once you have the certificate created, go to:

Configuration –> Remote Access VPN –> Network (client) access –> AnyConnect Connection Profiles

Click Device Certificate

Choose the certificate you created as the one to use for when users HTTPS to this device for the portal and subsequent SSL VPN connection.

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-28-2014 04:56 AM

Do you have the Network Access Manager (NAM) module installed in addition to VPN?

If so, I would suspect you are getting this message from NAM.

0 Helpful

Go to solution
AliYashar Ladani
Level 1
Level 1
In response to Marvin Rhoads

‎03-28-2014 05:22 AM

I have checked the vpn profile configuration, but there is no any option about NAM. how can I find this module ?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to AliYashar Ladani

‎03-28-2014 07:58 AM

NAM is an option on the AnyConnect client - not in the profile on the ASA. If you have it installed, your Anyconnect client will look something like the screenshot I've attached below:

If not, the other thing you could be seeing is related to your ASA certificate. You should be using either a certificate from a public CA (or trusted root CA) or have installed the ASA self-signed certificate in your local trusted certificate store. If you haven't done any of those then your would need to uncheck the box "Block Connections to Untrusted Servers" in your VPN Preferences menu of the AnyConnect vlient preferences. See my second screenshot below:

Go to solution
AliYashar Ladani
Level 1
Level 1
In response to Marvin Rhoads

‎03-28-2014 08:31 AM

thank you for answering.

Yes its exactly like the screet shot that you have uploaded.

I attached the version of anyconnect that Im using, with the configuration that you see in the screen shot still its not working.

Preview file
165 KB
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to AliYashar Ladani

‎03-28-2014 08:37 AM

Ok, so you don't have NAM, just the VPN module.

What kind of certificate is on your ASA? Does the CN (Common Name) in the certificate match the address or name portion of the FQDN you are using to connect?

You can inspect the certificate by browsing to the ASA outside interface and then examine the certificate details using your browser toolbar.

0 Helpful

Go to solution
AliYashar Ladani
Level 1
Level 1
In response to Marvin Rhoads

‎03-28-2014 09:15 AM

The cert typ is self enroled and the cn is different, Mobile and tablets and mac are able to connect.

cn is TakTel-ASA

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to AliYashar Ladani

‎03-28-2014 11:47 AM

I'm not sure if it's relevant but your AnyConnect VPN client preferences window does not even have a selection for "Enable automatic certificate selection".

I have it and am running the same version 3.1.05160 as you.

If you want to send me a private message with your FQDN I can check it out from my client. Otherwise you might have to open a TAC case.

Go to solution
AliYashar Ladani
Level 1
Level 1
In response to Marvin Rhoads

‎03-29-2014 12:29 AM

could you please leave an email address here. i send you by email.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to AliYashar Ladani

‎03-29-2014 07:12 AM

AliYashar,

It appears your certificate is not well-formed for use with Windows browsers. When I inspect the certificate from Chrome, it shows "This certificate has an invalid digital signature.". I also notice your RSA key used to sign the certificate is only 768 bits. I suggest creating a new stronger key (1024 or 2048 bits) and certificate and binding that to your outside interface. While you do that, it also wouldn't hurt to use the same FQDN for the certificate that you use for the portal.

You can follow the procedure here:


http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107956-renew-ssl.html


..except in Figure 2, check "Generate new self-signed certificate".

Once you have the certificate created, go to:

Configuration –> Remote Access VPN –> Network (client) access –> AnyConnect Connection Profiles

Click Device Certificate

Choose the certificate you created as the one to use for when users HTTPS to this device for the portal and subsequent SSL VPN connection.

0 Helpful

Go to solution
AliYashar Ladani
Level 1
Level 1
In response to Marvin Rhoads

‎03-29-2014 11:02 AM

I have generated a new CSR and requested for reissued certificate.

I will let you now the result .

 

Thank You so much

0 Helpful

Go to solution
AliYashar Ladani
Level 1
Level 1
In response to Marvin Rhoads

‎03-29-2014 05:13 PM

Yes, its working fine now :)

Thank You

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to AliYashar Ladani

‎03-29-2014 07:35 PM

Excellent - glad to hear the good news.

Thanks for the rating.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents