cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3705
Views
15
Helpful
17
Replies

Unable to connect using Cisco Anyconnect Version 4.7.02036 to a corporate VPN server

Very13275
Level 1
Level 1

Hello,

 

I am unable to connect using Cisco Anyconnect Version 4.7.02036 to a corporate VPN server using the provided company CA certificate. Our outsourced corporate IT is not able to solve the problem for the last 4 weeks after 6 Skype attempts to check what is wrong. I look for any help from the community or Cisco to solve the problem. 

 

Background information:

- VPN connectivity worked fine on my PC for 4-5 years until in Feb. 2020 my PC was upgraded from Windows 7 to Windows 10 with a new VPN CA certificate issued simultaneously. All functions worked fine after update to Windows 10 except for VPN connectivity using Cisco Anyconnect Version 4.7.02036.

 

If you look at the error case, then in Cisco Anyconnect message history after you press "Connect" it ends after 3 -10 minutes (the time really varies) with message box "Connection attempt has timed out. Please verify Internet connectivity". and this list of events:

21:28:22 Ready to connect.
21:38:22 Contacting <Company> Europe SSL.
21:47:54 Unable to contact <xxx.yyy.zzz>.com.

 

What was done by IT department so far to find out what is the problem:

- Internet connectivity was checked and I tried 2 different Internet providers, but no success.

- All profile settings including security settings for Cisco Anyconnect Version 4.7.02036 on my PC were checked and I could see it via Skype session.

- Cisco Anyconnect Version 4.7.02036 was re-installed.

- Various Windows "Services" related to networking were tried out.

- The VPN CA certificate was checked at least 2 times and compared with the information on the VPN server - OK.

- A few other things.

Result: No success. At least 6 sessions were done so far. None of the changes however changed the following behavior:

1. I can see in the Windows log in the beginning this error (after "Connect" is pressed):

********************

Function: COpenSSLCertificate::VerifyKeyUsage
File: Certificates\OpenSSLCertificate.cpp
Line: 1848
Invoked Function: COpenSSLCertUtils::VerifyKeyUsage
Return Code: -31391723 (0xFE210015)
Description: CERTIFICATE_ERROR_VERIFY_KEYUSAGE_NOT_FOUND:No Key Usages were found in the certificate

************************

2. Later continuously this error in Windows event log comes until "Connect" attempts expires. It depends and can last up to 10 min as mentioned before until I also get the error message box "Connection attempt has timed out. Please verify Internet connectivity". as GUI.

***************

Function: CCapiCertUtils::VerifyCertPolicy
File: Certificates\CapiCertUtils.cpp
Line: 1761
Invoked Function: CertGetIntendedKeyUsage
Return Code: 0 (0x00000000)
Description: unknown

****************

 

The CA certificate includes definitely "Key Usage" item and it was checked by IT and myself in Windows and using Internet Explorer functionality. I have in total 3 certificates on my machine:

User:

1. Microsoft certificate for Windows and it has no "Key Usage" item.

2. User related CA for VPN which is supposed to be used by Cisco Anyconnect and it has "Key Usage" item. 

Machine:

3. Machine related CA for VPN and it has "Key Usage" item. 

 

Could it be that Microsoft certificate (with no Key Usage) is taken by Cisco Anyconnect instead of the right one corporate CA for VPN? If "Yes" how could it be and how to fix this? If "No", what could be other reason why Cisco Anyconnect starts looping until it expires with:

******************

unction: CCapiCertUtils::VerifyCertPolicy
File: Certificates\CapiCertUtils.cpp
Line: 1761
Invoked Function: CertGetIntendedKeyUsage
Return Code: 0 (0x00000000)
Description: unknown

*******************

 

Any help is very welcome because slowly I become hopeless with this issue and would like to avoid new Windows re-installation on my PC!

17 Replies 17

Francesco Molino
VIP Alumni
VIP Alumni
Hi

Can you validate your certificate has the following extensions:
- application Policies: client Authentication
- key usage: digital signature and Allow key exchange only with key encryption.

What certificate template is used to issue you a certificate for VPN connection?

You're trying to connect on an asa or ftd?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Very13275
Level 1
Level 1

Hello,


The application policies on my VPN certificate are:

[1]Application Certificate Policy:

     Policy Identifier=Client Authentication

[2]Application Certificate Policy:

     Policy Identifier=<Company name> Infrastructure Client Auto-Enrollment


Key usage:

Digital Signature, Key Encipherment (a0)


Certificate template:

Template=<Company name> Infrastructure Certificate <ID>(<Long number>)

Major Version Number=101

Minor Version Number=4

<Company namse>, <ID> and <Long number> is not shown by me because I do not know if it is a company-sensitive information or not.


As for your question if FTD or ASA is used, I do not know 100% but believe that ASA is used because RSA is used in the signature algorithm.


The guys from IT on the VPN server side say that they do not receive any connection requests from my PC at all. It means the Cisco Anyconnect VPN client is not able to go out even if Internet connection is there and I am able to use all company Microsoft SharePoints, etc. using Microsoft sign-in methods.



If you don't have access to your FW for troubleshooting it will be difficult to do deeper troubleshooting.
What you can do is install Anyconnect DART, try to connect to your vpn, then run DART and generate a troubleshooting file.
Will you be able to share the troubleshooting here or PM me if you want more privacy? Afterwards, we will continue discussions here.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Yes, I have included the modified DART files (binaries were removed and textual were modified by deleting the company names and VPN server addresses). Otherwise all information, events are unchanged. Thanks a ot in advance for your help to solve this issue.



DART modified for privacy

Hello Francesco,

Your help is very much appreciated!

Best Regards,
Eugen

I'll look at it tomorrow and get back to you

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

We see it's asking for a certificate.
We will need to run a debug on asa to see what ASA is seeing as certificate.
Are you using a windows or a mac?
Can you check what type of certificate do you have (user or machine)? And we may be able to adapt the XML profile for connection testing. However, if that works, once connected, your client will download back the XML from the asa.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question


I use Windows Client. I have actually both User and Machine certificates on my PC but I was told by IT that definitely User certificate shall be used. I have changed the Cisco Anyconnect profile (by default it is set to All) to use only Machine and User but this did not provide any difference in the Windows log -> It was still not found “Key Usage” error.



If I use Microsoft built-in VPN client, it offers me the selection of the certificate from my User area (2 of them can be seen: 1 from Microsoft for Windows with “Client authentication” and then company CA VPN also for “Client authentication”; which is the correct one), but in Cisco Anyconnect I am not able to come to this stage because of “Not found key usage”.



In case of Windows VPN client, it expires very fast (within 1 minute) because of missing security setting, as expected, because I have them from the company only for Cisco Anyconnect. I personally believe it would be a great help to make sure that really the right certificate is taken by Cisco Anyconnect for the connection, because our IT says that the connection request does not come to the security gateway so it shall be my PC problem.



 



I have also used the “thumbprint” value in the registry to see the location of all 3 certificates. I am not windows expert but it was strange to see that the company CA VPN certificate was located under HKEY_LOCAL_MACHINE. I thought if it was User one that it should have been under HKEY_CURRENT_USER. The Microsoft certificate (not for VPN) is located however under HKEY_CURRENT_USER.



 



Location of my certificate in User store:



Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services\vpnagent\SystemCertificates\My\Certificates\<Thumbprint value 1>



Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Services\vpnagent\SystemCertificates\My\Certificates\<Thumbprint value 1>



 



Location of Microsoft certificate in User store:



Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\WorkplaceJoin\JoinInfo\ <Thumbprint value 2>



Computer\HKEY_USERS\S-1-5-21-1832937852-2116575123-337272265-203471\Software\Microsoft\Windows NT\CurrentVersion\WorkplaceJoin\JoinInfo\<Thumbprint value 2>



 



Location of certificate in Machine store:



Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\<Thumbprint value 3>



The interesting thing here that just below this <Thumbprint value 3> there was another “dead”? certificate? with <Thumbprint value 4> based on “Blob” values and location of 00 00 it was some certificate but not fully deleted? Or from previous Windows 7 installation before upgrade to Windows 10? This <Thumbprint value 4> is however not shown in any MMC view or in Internet Explorer, etc.



 



Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\SystemCertificates\My\Certificates\<Thumbprint value 3>



 



<Thumbprint value 4> strange value can be seen below <Thumbprint value 3> which I can see in MMC as Machine certificate.



 



Are these locations in registry OK for Cisco Anyconnect? How can we make sure that <Thumbprint value 1> from User store is really used?




If you modified the profile to use user certificate and still doesn't work, we will need to have log debug from asa to see what's happening and see if the correct certificate is sent by your machine.
On anyconnect profile editor, you can configure the certificate match to make sure the correct certificate is sent by your client.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

I have tried with “User” instead of “All” for the store, but it did not help because the suspected certificate (which does not have Key Usage) is also located in the “User” store. It is for Microsoft Windows and thus I cannot delete it. I do not have the anyconnect profile editor on my PC. Do you know how to modify my profile using <ClientInitialization> part used by me? See the settings below which are currently rolled out on my PC.

I do not have access to ASA on the server but I have the feedback from the IT department that my VPN client PC does not come even to the security gateway during start-up. As you could see in my previsou post, using Microsoft Windows 10 VPN client with the direct certificate selection I was able to do so. It means the problem is related most likely to Cisco VPN Anyconnect tool especially that the error of NO KEY USAGE found is raised exactly by Cisco Anyconnect.

<ClientInitialization>
  <UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
  <AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
  <ShowPreConnectMessage>false</ShowPreConnectMessage>
  <CertificateStore>All</CertificateStore>
  <CertificateStoreMac>Login</CertificateStoreMac>
  <CertificateStoreOverride>false</CertificateStoreOverride>
  <ProxySettings>IgnoreProxy</ProxySettings>
  <AllowLocalProxyConnections>true</AllowLocalProxyConnections>
  <AuthenticationTimeout>12</AuthenticationTimeout>
  <AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
  <MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
  <LocalLanAccess UserControllable="true">false</LocalLanAccess>
  <DisableCaptivePortalDetection UserControllable="true">false</DisableCaptivePortalDetection>
  <ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
  <IPProtocolSupport>IPv4</IPProtocolSupport>
  <AutoReconnect UserControllable="false">true
   <AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
  </AutoReconnect>
  <AutoUpdate UserControllable="false">true</AutoUpdate>
  <RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
  <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
  <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
  <AutomaticVPNPolicy>false</AutomaticVPNPolicy>
  <PPPExclusion UserControllable="false">Disable
   <PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
  </PPPExclusion>
  <EnableScripting UserControllable="false">false</EnableScripting>
  <EnableAutomaticServerSelection UserControllable="false">false
   <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
   <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
  </EnableAutomaticServerSelection>
  <RetainVpnOnLogoff>false
  </RetainVpnOnLogoff>
  <AllowManualHostInput>true</AllowManualHostInput>
 </ClientInitialization>

Can you share a screenshot of your user certificate by sending me a private message please to see?
You have a field called enhanced Key Usage, can you tell me what values do you have in it?
Can you change the tag <CertificateStoreOverride>false</CertificateStoreOverride> to <CertificateStoreOverride>true</CertificateStoreOverride>?
Also can you change <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment> to <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question


I do not think that I can send you the screenshot of all fields, but it is not a problem to send the fields which are of an interest.


FYI – The certificate was verified on Windows using CMD command and, in addition, manually checked by the company IT team. I could observe it on Skype session. It is Ok base on both checks (Windows and manual).


As for enhanced key usage, it is:

“Client Authentication (1.3.6.1.5.5.7.3.2)

<Company Infrastructure> Client Auto-Enrollment (1.3.6.1.4.1.27527.1.40.100.1)”


I have changed the tags but it did not change the behavior. The proposed changes are listed below.

<CertificateStoreOverride>false</CertificateStoreOverride> to <CertificateStoreOverride>true</CertificateStoreOverride>

and <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment> to <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>

On your DART anyconnect logs, there're messages saying Unable to contact vpn.test.com and CTRANSPORT_ERROR_TIMEOUT.
I'm sorry asking the obvious but are you able to resolve the fqdn? Can you do a wireshark while connecting to what's going on?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: