There's a mobile version of our website.
I have an issue with AnyConnect 3.0.5080 and ASA image 8.4(3) with AnyConnectLocalPolicy.xml in use. The problem appears while authenticating users based on the client certificate + ldap and using AnyConnectLocalPolicy.xml with ExcludeFirefoxNSSCertStore set to true.
There are two consecutive messages that say: AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again. and then The certificate on the secure gateway is invalid. A VPN connection will not be established.
Of course I put CA and clients certs in /opt/.cisco/certificates/... ASA's identity certificate is not self-sign and 100% vaild. I'm using linux machine (Ubuntu 11.10).
As soon as I change ExcludeFirefoxNSSCertStore value from true to false everything works perfectly and AnyConnect uses client pem files located in /opt/.cisco/...
Any idea? My goal is to make client VPN configuration Firefox independent.
I have just tested scenario where I tried to established VPN connection using cert machine store (/opt/.cisco/certificates/) and ASA local aaa database and I had no firefox installed on the client machine. The result was exactly the same....
AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.
The certificate on the secure gateway is invalid. A VPN connection will not be established.
Is seems that there is no way to successfully establish connection without firefox installed. Can anyone confirm that issue?
Thank you Gabriel for reply.
I was able to resolve this issue. It turned out to be not related to ExcludeFirefoxNSSCertStore option at all. I got an error due to incorrect format of AnyconnectLocalPolicy.xml file. I took this file from Cisco's documentation@
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac08localpolicy.html. However example is missing quotes on xmlns and xmlns:xsi elements in <AnyConnectLocalPolicy> tag.
VPN client displayed "certificate invalid" error which is why I thought that it can not validate certificate itself:
>> error: The certificate on the secure gateway is invalid. A VPN connection will not be established.
But when I checked syslog I saw a more informative message which prompted me to validate xml against xsd schema.
May 30 13:19:13 MYHOST acvpnagent: Function: startParser File: Xml/CVCSaxParser.cpp Line: 182 Invoked
Function: xmlParseDocument Return Code: -1 (0xFFFFFFFF) Description: unknown
May 30 13:19:13 MYHOST acvpnagent: Termination reason code 59: Connection attempt failed due to certificate problems.
Login to share your discussion activity with your friends on Facebook. You can control what you share and turn off sharing anytime.
Your Facebook friends can now see that you have started this discussion
Your Facebook friends can now see that you have commented on this discussion
Your Facebook friends can now see that you have read this discussion