Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco Anyconnect issue with windows plathform

Hi,

I'm facing with a strange issue about Cisco Anyconnect on windows platform. it shows me the message that is attached to this discussion and cannot get online on client side.

I have upgraded to latest ASA and Anyconnect software because of this issue, but the problem still is persist.

ASA : 5525

Software : 9.1(2)

AnyConnect Version : 3.1.05160

 

please assist me to fix this problem.

 

I approciate

AliYashar 

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

AliYashar,It appears your

AliYashar,

It appears your certificate is not well-formed for use with Windows browsers. When I inspect the certificate from Chrome, it shows "This certificate has an invalid digital signature.". I also notice your RSA key used to sign the certificate is only 768 bits. I suggest creating a new stronger key (1024 or 2048 bits) and certificate and binding that to your outside interface. While you do that, it also wouldn't hurt to use the same FQDN for the certificate that you use for the portal.

You can follow the procedure here:


http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107956-renew-ssl.html


..except in Figure 2, check "Generate new self-signed certificate".

Once you have the certificate created, go to:

Configuration –> Remote Access VPN –> Network (client) access –> AnyConnect Connection Profiles

Click Device Certificate

Choose the certificate you created as the one to use for when users HTTPS to this device for the portal and subsequent SSL VPN connection.

12 REPLIES
Hall of Fame Super Silver

Do you have the Network

Do you have the Network Access Manager (NAM) module installed in addition to VPN?

If so, I would suspect you are getting this message from NAM.

New Member

I have checked the vpn

I have checked the vpn profile configuration, but there is no any option about NAM. how can I find this module ?

Hall of Fame Super Silver

NAM is an option on the

NAM is an option on the AnyConnect client - not in the profile on the ASA. If you have it installed, your Anyconnect client will look something like the screenshot I've attached below:

If not, the other thing you could be seeing is related to your ASA certificate. You should be using either a certificate from a public CA (or trusted root CA) or have installed the ASA self-signed certificate in your local trusted certificate store. If you haven't done any of those then your would need to uncheck the box "Block Connections to Untrusted Servers" in your VPN Preferences menu of the AnyConnect vlient preferences. See my second screenshot below:

New Member

thank you for your answering

thank you for answering.

Yes its exactly like the screet shot that you have uploaded.

I attached the version of anyconnect that Im using, with the configuration that you see in the screen shot still its not working.

Hall of Fame Super Silver

Ok, so you don't have NAM,

Ok, so you don't have NAM, just the VPN module.

What kind of certificate is on your ASA? Does the CN (Common Name) in the certificate match the address or name portion of the FQDN you are using to connect?

You can inspect the certificate by browsing to the ASA outside interface and then examine the certificate details using your browser toolbar.

New Member

The cert typ is self enroled

The cert typ is self enroled and the cn is different, Mobile and tablets and mac are able to connect.

cn is TakTel-ASA

 

Hall of Fame Super Silver

I'm not sure if it's relevant

I'm not sure if it's relevant but your AnyConnect VPN client preferences window does not even have a selection for "Enable automatic certificate selection".

I have it and am running the same version 3.1.05160 as you.

If you want to send me a private message with your FQDN I can check it out from my client. Otherwise you might have to open a TAC case.

New Member

could you ,ease leave an

could you please leave an email address here. i send you by email.

Hall of Fame Super Silver

AliYashar,It appears your

AliYashar,

It appears your certificate is not well-formed for use with Windows browsers. When I inspect the certificate from Chrome, it shows "This certificate has an invalid digital signature.". I also notice your RSA key used to sign the certificate is only 768 bits. I suggest creating a new stronger key (1024 or 2048 bits) and certificate and binding that to your outside interface. While you do that, it also wouldn't hurt to use the same FQDN for the certificate that you use for the portal.

You can follow the procedure here:


http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107956-renew-ssl.html


..except in Figure 2, check "Generate new self-signed certificate".

Once you have the certificate created, go to:

Configuration –> Remote Access VPN –> Network (client) access –> AnyConnect Connection Profiles

Click Device Certificate

Choose the certificate you created as the one to use for when users HTTPS to this device for the portal and subsequent SSL VPN connection.

New Member

I have generated a new CSR

I have generated a new CSR and requested for reissued certificate.

I will let you now the result .

 

Thank You so much

New Member

Yes, its working fine now :

Yes, its working fine now :)

Thank You

Hall of Fame Super Silver

Excellent - glad to hear the

Excellent - glad to hear the good news.

Thanks for the rating.

482
Views
10
Helpful
12
Replies