Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco AnyConnect - removing Certificate Blocked Error Dialog

Hi, I have a question regardging Cisco Anyconnect Secure Mobility Client, version 3.1.00495. Installed on W7 Enterprise 32-bit.

It's working fine, but I notice when I first use it I am prompted by "Certificate Blocked Error Dialog", visible on this link as Figure 3.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html

The dialog box says "Untrusted VPN Server!" with the option to "Change Setting" or "Keep Me Safe". If you click Change Setting you can then uncheck "Block connections to untrusted servers" etc and connect then. Once the connection is successful you are not prompted again about this.

I am wondering if I'm deploying this software to many users, how can avoid this pop-up from appearing from for them all, to make the process as seamless as possible? Is there something I can do to pre-stage these settings somewhere? etc?

Thanks in advance?

28 REPLIES
VIP Purple

Cisco AnyConnect - removing Certificate Blocked Error Dialog

The best way is to deploy a public certificate on the ASA (there are also ones that don't cost anything) and then add the strict certificate trust in the local policy:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp998439

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Cisco AnyConnect - removing Certificate Blocked Error Dialog

On the ASA,
1.  Anyconnect Client profile

2.  Edit Anyconnect_Group profile

3.  Edit Server list

4. Add or Edit the hostname

5. Host display: Remote.exmaple.com and FQDN: Remote.example.com

your cert that you applied for the interface must match the URL otherwise it won't work

Let me know

New Member

Cisco AnyConnect - removing Certificate Blocked Error Dialog

Hi,

same bad discovery here. We're using self-signed certs and even importing them in the client did not prevent the nasty window to appear.

Is this a warning which appears as long as you're not using a third-party validated cert or is there a way to disable the warning even when using self-signed certs?

Thanks

New Member

Cisco AnyConnect - removing Certificate Blocked Error Dialog

Hi Nicola,

have you found a way to remove the warning?

where is Anyconnect searching for the certs?

Thanks.

Re: Cisco AnyConnect - removing Certificate Blocked Error Dialo

Cristian,

As mentioned before you need to make sure that CN value in the certificate matches the DNS name of the ASA as well (othewise the client will not consider as trusted), once you are done with this, install the ASA certificate on the client machine and that should fix the problem.

However the best practice is to get a valid certificate from a known Certificate Authority.

HTH.

Portu.

Please rate any helpful posts

VIP Purple

Re: Cisco AnyConnect - removing Certificate Blocked Error Dialo

Hi Portu,

even if the CN matches the DNS-name, if the cert is self-signed it is rejected by the actual AnyConnect-Client. The Client-behavior changed somehere at version 3.1.

I'm also still searching for a solution for the rare situation where a self-signed certificate has to be used.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Re: Cisco AnyConnect - removing Certificate Blocked Error Dialo

I agree Karsten , I actually helped Cristian with that issue on:

https://supportforums.cisco.com/message/3794109#3794109

However, I think his certificate does not include the correct CN value (same as DNS). This in conjunction with the correct certificate match should work, however I have not fully tested it yet.

Thanks.

Portu.

New Member

Cisco AnyConnect - removing Certificate Blocked Error Dialog

Hi Portu,

I've just tried, the connection works but the warning keeps coming.

- CN=abc.example.com

- DNS - abc.example.com resolves to ASA_IP

- CN matches the DNS

- Certificate was installed on client PC

Where does the Anyconnect search/check for the certs?

Thanks.

Hello Javier,It has been

Hello Javier,

It has been almost three years since that post, but your answer really helped me on my Home Lab. I followed your steps and I got that warning, once you check the Option "Import the Certificate" you never get it again.

Thank you for your help,

Theo

New Member

Cisco AnyConnect - removing Certificate Blocked Error Dialog

Hi Cristian,

unfortunately not. I suspended the attempts due to some other tasks. I guess this is something I'll have to start working on again; we can't stick with 3.0 forever.
Regarding the various suggestions of having a third-party cert and not a self signed cert: I agree it's the best solution but still, this warning is too aggressive. I'm pretty sure we're not the only ones using self signed certs.

New Member

Cisco AnyConnect - removing Certificate Blocked Error Dialog

Hi Nicola,

I tried with a trial cert from Thawte but the warning keeps coming.

isn't it strange?

any idea?

Thanks.

Cisco AnyConnect - removing Certificate Blocked Error Dialog

Cristian,

Usually those are not known certificates since they have a trial flag.

You need to obtain a real certificate. The positive side of the coin is that you already know how to install it.

Just to make sure, could you please attach the identity certificate?

Thanks.

Portu.

Please rate any helpful posts

New Member

Re: Cisco AnyConnect - removing Certificate Blocked Error Dialo

Hi Portu,

what exactly would you like to see in the cert?

Thanks.

Re: Cisco AnyConnect - removing Certificate Blocked Error Dialo

I would like to see the "Issued by" in the Root certificate.

Thanks.

New Member

Cisco AnyConnect - removing Certificate Blocked Error Dialog

Intermediate Cert:

Identity Cert

Thanks

Cisco AnyConnect - removing Certificate Blocked Error Dialog

Yeahp, the trial flag is in there, so the browser will not consider it as a trusted certificate unless you install the CA in the machine.

Thanks.

New Member

Cisco AnyConnect - removing Certificate Blocked Error Dialog

I've installed the root and intermediate certs but same thing.

where exactly does the client search for the certs?

Thanks.

Cisco AnyConnect - removing Certificate Blocked Error Dialog

What if you try through the Web browser?

Thanks in advance.

Cisco AnyConnect - removing Certificate Blocked Error Dialog

What about the CN on the identity cert of the ASA?  Is the outside IP or the DNS name associated to the IP?

Thanks.

New Member

Cisco AnyConnect - removing Certificate Blocked Error Dialog

CN is the DNS name.

I've tried through the Web browser but same warning.

Thanks.

Cisco AnyConnect - removing Certificate Blocked Error Dialog

Please attach.

Thanks.

New Member

Cisco AnyConnect - removing Certificate Blocked Error Dialog

what would like me to attach?

Thanks.

New Member

Hi Javier,

Hi Javier,

I'm using an internal Root CA(Microsoft AD) and my computers are also part of the domain and they trust the Root CA. I've imported the Root CA into ASA and applied a certificate into the Identity Certificate Store... even so We're keep getting this warning.

Please help

Regards,

AM 

New Member

Cisco AnyConnect - removing Certificate Blocked Error Dialog

Guys,

Did you get this sorted? As I'm having the same issues but only on Android and Linux Ubuntu devices. I've tested on Windows, Mac, iOS - all seem to have no issues, but android and linux don't see the certificate as being legit and should be trusted. I've now tested with certificates from 2 CAs - AusCERT and Thawte SSL CA.

New Member

Re: Cisco AnyConnect - removing Certificate Blocked Error Dialo

Yes this is getting silly, we have a valid Entrust cert where the SAN matches DNS and CN and it's applied to the ASA. The Anyconnect client errors only from IOS and Windows 8. Windows IE to the ASA shows a valid cert and its' Anyconnect does not error.

Opened a case on this as I'm guessing it requires more than one cert for IOS and Win8 from Entrust 2048

I will post the results

Bob James

New Member

Re: Cisco AnyConnect - removing Certificate Blocked Error Dialo

@bjames@snetworks.com

I had this issue and I open a ticket. It took 3 days and still didn't find an answer for my case. However, until I thought about changing something at Anyconnect Client profile. As long you have a vaild cert and everything is matching correctly

My Solution was:

The Server is seeing the connection as IP address when it is expecting URL address. Therefore, it is blocking it. When you edit the server list to match the URL of Cert, then It will allow it

Try the following steps,

1.  Click on Anyconnect Client profile

2.  Edit Anyconnect_Group profile

3.  Edit Server list

4. Add or Edit the hostname (You will see IP address, however, your cert is URL address ) So you have to add it or delete the IP address and keep URL )

5. Host display: Remote.exmaple.com and FQDN: Remote.example.com

** Your cert that you applied for the interface must match the URL otherwise it won't work. So you can make your Cert

(( *.example.com )) and it should match any URL you give



Qousai Edelbi
CCNP,CCDA
Lead Network Security Administrator

New Member

Cisco AnyConnect - removing Certificate Blocked Error Dialog

Hi Qousai Edelbi

I use a valid certificate from StartSSL.com and got this error message despite of this fact. Actually everything should work but I got this ugliy error until I followed your steps. Now the error message is gone. Thank you for posting your solution.

Beste Regards

Marco

New Member

Hi Liambreathnach, Did you

Hi Liambreathnach,

 

Did you resolved this issue? if yes how? can you tell me the procedure?

 

best regards,

AM

80673
Views
49
Helpful
28
Replies
CreatePlease login to create content