I am unable to connect using Cisco Anyconnect Version 4.7.02036 to a corporate VPN server using the provided company CA certificate. Our outsourced corporate IT is not able to solve the problem for the last 4 weeks after 6 Skype attempts to check what is wrong. I look for any help from the community or Cisco to solve the problem.
- VPN connectivity worked fine on my PC for 4-5 years until in Feb. 2020 my PC was upgraded from Windows 7 to Windows 10 with a new VPN CA certificate issued simultaneously. All functions worked fine after update to Windows 10 except for VPN connectivity using Cisco Anyconnect Version 4.7.02036.
If you look at the error case, then in Cisco Anyconnect message history after you press "Connect" it ends after 3 -10 minutes (the time really varies) with message box "Connection attempt has timed out. Please verify Internet connectivity". and this list of events:
21:28:22 Ready to connect.
21:38:22 Contacting <Company> Europe SSL.
21:47:54 Unable to contact <xxx.yyy.zzz>.com.
What was done by IT department so far to find out what is the problem:
- Internet connectivity was checked and I tried 2 different Internet providers, but no success.
- All profile settings including security settings for Cisco Anyconnect Version 4.7.02036 on my PC were checked and I could see it via Skype session.
- Cisco Anyconnect Version 4.7.02036 was re-installed.
- Various Windows "Services" related to networking were tried out.
- The VPN CA certificate was checked at least 2 times and compared with the information on the VPN server - OK.
- A few other things.
Result: No success. At least 6 sessions were done so far. None of the changes however changed the following behavior:
1. I can see in the Windows log in the beginning this error (after "Connect" is pressed):
Invoked Function: COpenSSLCertUtils::VerifyKeyUsage
Return Code: -31391723 (0xFE210015)
Description: CERTIFICATE_ERROR_VERIFY_KEYUSAGE_NOT_FOUND:No Key Usages were found in the certificate
2. Later continuously this error in Windows event log comes until "Connect" attempts expires. It depends and can last up to 10 min as mentioned before until I also get the error message box "Connection attempt has timed out. Please verify Internet connectivity". as GUI.
Invoked Function: CertGetIntendedKeyUsage
Return Code: 0 (0x00000000)
The CA certificate includes definitely "Key Usage" item and it was checked by IT and myself in Windows and using Internet Explorer functionality. I have in total 3 certificates on my machine:
1. Microsoft certificate for Windows and it has no "Key Usage" item.
2. User related CA for VPN which is supposed to be used by Cisco Anyconnect and it has "Key Usage" item.
3. Machine related CA for VPN and it has "Key Usage" item.
Could it be that Microsoft certificate (with no Key Usage) is taken by Cisco Anyconnect instead of the right one corporate CA for VPN? If "Yes" how could it be and how to fix this? If "No", what could be other reason why Cisco Anyconnect starts looping until it expires with:
Invoked Function: CertGetIntendedKeyUsage
Return Code: 0 (0x00000000)
Any help is very welcome because slowly I become hopeless with this issue and would like to avoid new Windows re-installation on my PC!
I use Windows Client. I have actually both User and Machine certificates on my PC but I was told by IT that definitely User certificate shall be used. I have changed the Cisco Anyconnect profile (by default it is set to All) to use only Machine and User but this did not provide any difference in the Windows log -> It was still not found “Key Usage” error.
If I use Microsoft built-in VPN client, it offers me the selection of the certificate from my User area (2 of them can be seen: 1 from Microsoft for Windows with “Client authentication” and then company CA VPN also for “Client authentication”; which is the correct one), but in Cisco Anyconnect I am not able to come to this stage because of “Not found key usage”.
In case of Windows VPN client, it expires very fast (within 1 minute) because of missing security setting, as expected, because I have them from the company only for Cisco Anyconnect. I personally believe it would be a great help to make sure that really the right certificate is taken by Cisco Anyconnect for the connection, because our IT says that the connection request does not come to the security gateway so it shall be my PC problem.
I have also used the “thumbprint” value in the registry to see the location of all 3 certificates. I am not windows expert but it was strange to see that the company CA VPN certificate was located under HKEY_LOCAL_MACHINE. I thought if it was User one that it should have been under HKEY_CURRENT_USER. The Microsoft certificate (not for VPN) is located however under HKEY_CURRENT_USER.
Location of my certificate in User store:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services\vpnagent\SystemCertificates\My\Certificates\<Thumbprint value 1>
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Services\vpnagent\SystemCertificates\My\Certificates\<Thumbprint value 1>
Location of Microsoft certificate in User store:
Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\WorkplaceJoin\JoinInfo\ <Thumbprint value 2>
Computer\HKEY_USERS\S-1-5-21-1832937852-2116575123-337272265-203471\Software\Microsoft\Windows NT\CurrentVersion\WorkplaceJoin\JoinInfo\<Thumbprint value 2>
Location of certificate in Machine store:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\<Thumbprint value 3>
The interesting thing here that just below this <Thumbprint value 3> there was another “dead”? certificate? with <Thumbprint value 4> based on “Blob” values and location of 00 00 it was some certificate but not fully deleted? Or from previous Windows 7 installation before upgrade to Windows 10? This <Thumbprint value 4> is however not shown in any MMC view or in Internet Explorer, etc.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\SystemCertificates\My\Certificates\<Thumbprint value 3>
<Thumbprint value 4> strange value can be seen below <Thumbprint value 3> which I can see in MMC as Machine certificate.
Are these locations in registry OK for Cisco Anyconnect? How can we make sure that <Thumbprint value 1> from User store is really used?
I have tried with “User” instead of “All” for the store, but it did not help because the suspected certificate (which does not have Key Usage) is also located in the “User” store. It is for Microsoft Windows and thus I cannot delete it. I do not have the anyconnect profile editor on my PC. Do you know how to modify my profile using <ClientInitialization> part used by me? See the settings below which are currently rolled out on my PC.
I do not have access to ASA on the server but I have the feedback from the IT department that my VPN client PC does not come even to the security gateway during start-up. As you could see in my previsou post, using Microsoft Windows 10 VPN client with the direct certificate selection I was able to do so. It means the problem is related most likely to Cisco VPN Anyconnect tool especially that the error of NO KEY USAGE found is raised exactly by Cisco Anyconnect.
On your DART anyconnect logs, there're messages saying Unable to contact vpn.test.com and CTRANSPORT_ERROR_TIMEOUT.
I'm sorry asking the obvious but are you able to resolve the fqdn? Can you do a wireshark while connecting to what's going on?