Hello,

I am unable to connect using Cisco Anyconnect Version 4.7.02036 to a corporate VPN server using the provided company CA certificate. Our outsourced corporate IT is not able to solve the problem for the last 4 weeks after 6 Skype attempts to check what is wrong. I look for any help from the community or Cisco to solve the problem. 

Background information:

- VPN connectivity worked fine on my PC for 4-5 years until in Feb. 2020 my PC was upgraded from Windows 7 to Windows 10 with a new VPN CA certificate issued simultaneously. All functions worked fine after update to Windows 10 except for VPN connectivity using Cisco Anyconnect Version 4.7.02036.

If you look at the error case, then in Cisco Anyconnect message history after you press "Connect" it ends after 3 -10 minutes (the time really varies) with message box "Connection attempt has timed out. Please verify Internet connectivity". and this list of events:

21:28:22 Ready to connect.
21:38:22 Contacting <Company> Europe SSL.
21:47:54 Unable to contact <xxx.yyy.zzz>.com.

What was done by IT department so far to find out what is the problem:

- Internet connectivity was checked and I tried 2 different Internet providers, but no success.

- All profile settings including security settings for Cisco Anyconnect Version 4.7.02036 on my PC were checked and I could see it via Skype session.

- Cisco Anyconnect Version 4.7.02036 was re-installed.

- Various Windows "Services" related to networking were tried out.

- The VPN CA certificate was checked at least 2 times and compared with the information on the VPN server - OK.

- A few other things.

Result: No success. At least 6 sessions were done so far. None of the changes however changed the following behavior:

1. I can see in the Windows log in the beginning this error (after "Connect" is pressed):

********************

Function: COpenSSLCertificate::VerifyKeyUsage
File: Certificates\OpenSSLCertificate.cpp
Line: 1848
Invoked Function: COpenSSLCertUtils::VerifyKeyUsage
Return Code: -31391723 (0xFE210015)
Description: CERTIFICATE_ERROR_VERIFY_KEYUSAGE_NOT_FOUND:No Key Usages were found in the certificate

************************

2. Later continuously this error in Windows event log comes until "Connect" attempts expires. It depends and can last up to 10 min as mentioned before until I also get the error message box "Connection attempt has timed out. Please verify Internet connectivity". as GUI.

***************

Function: CCapiCertUtils::VerifyCertPolicy
File: Certificates\CapiCertUtils.cpp
Line: 1761
Invoked Function: CertGetIntendedKeyUsage
Return Code: 0 (0x00000000)
Description: unknown

****************

The CA certificate includes definitely "Key Usage" item and it was checked by IT and myself in Windows and using Internet Explorer functionality. I have in total 3 certificates on my machine:

User:

1. Microsoft certificate for Windows and it has no "Key Usage" item.

2. User related CA for VPN which is supposed to be used by Cisco Anyconnect and it has "Key Usage" item. 

Machine:

3. Machine related CA for VPN and it has "Key Usage" item. 

Could it be that Microsoft certificate (with no Key Usage) is taken by Cisco Anyconnect instead of the right one corporate CA for VPN? If "Yes" how could it be and how to fix this? If "No", what could be other reason why Cisco Anyconnect starts looping until it expires with:

******************

unction: CCapiCertUtils::VerifyCertPolicy
File: Certificates\CapiCertUtils.cpp
Line: 1761
Invoked Function: CertGetIntendedKeyUsage
Return Code: 0 (0x00000000)
Description: unknown

*******************

Any help is very welcome because slowly I become hopeless with this issue and would like to avoid new Windows re-installation on my PC!