Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
75646
Views
10
Helpful
6
Replies

Anyconnect cannot confirm it is connected to your secure gateway

christoforos panayi
Level 1
Level 1

‎03-08-2015 10:34 AM - edited ‎03-11-2019 10:36 PM

Hi,

 

I have configured cisco 1941 with anyconnect VPN. I have installed the anyconnect-win-3.1.07021-k9.pkg on the flash memory but it seems something is missing. When i access the router and download the anyconnect, the following message appears on the browser "Failed to get configuration because Anyconnect cannot confirm it is connected to your secure gateway". therefore, i have downloaded manually the anyconnect and tried to access my network. Unfortunately, the application does not connect and the "Anyconnect cannot confirm it is connected to your secure gateway" message appears.

it can be noticed that i have an android phone which successfuly connects to my network without any problems.

Please see below my configuration and i will appreciate if someone helps with this....

!

!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
 subject-name e=sdmtest@sdmtest.com
 revocation-check crl
!
crypto pki trustpoint CRXX
 enrollment selfsigned
 serial-number none
 ip-address none
 revocation-check crl
 rsakeypair CRXX_RSAKey 512
!
crypto pki trustpoint euro.lan
 revocation-check crl
 rsakeypair CRXX
!
!
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain CRXX
 certificate self-signed 01
  3082017A 30820124 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  1B311930 1706092A 864886F7 0D010902 160A4352 4575726F 73757265 301E170D
  31353033 30373139 32383530 5A170D32 30303130 31303030 3030305A 301B3119
  30170609 2A864886 F70D0109 02160A43 52457572 6F737572 65305C30 0D06092A
  864886F7 0D010101 0500034B 00304802 4100896A 9A2F5ADB 6E1615AA 61ABC513
  2770253F 24F17DC4 A16D8ACD 5C9042C1 476AAAE9 D0E1EDDE 520D3A13 AD895518
  ED63C68E C734628D A6855FFA F9F3B099 AA230203 010001A3 53305130 0F060355
  1D130101 FF040530 030101FF 301F0603 551D2304 18301680 1467308D 8F138842
  4110A886 779CC1D5 D9302A5F FD301D06 03551D0E 04160414 67308D8F 13884241
  10A88677 9CC1D5D9 302A5FFD 300D0609 2A864886 F70D0101 05050003 4100376B
  789B83C7 D8F20FEC CFAC75B4 B71518EE 90078812 D86B5F35 23D54DB0 28C678E1
  BCB33BF5 81D47EE8 7392D4E8 1433CFA9 7157EC64 C9EA2357 EAADCB02 E789
        quit
crypto pki certificate chain CRXX
 certificate ca 01
  3082030D 30820276 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  81993133 30310609 2A864886 F70D0109 01162463 68726973 746F666F 726F732E
  70616E61 79694061 74686C6F 697A6F75 2E636F6D 2E637931 10300E06 03550408
  13076E69 636F7369 61310B30 09060355 04061302 63793115 30130603 55040313
  0C657572 6F737572 652E6C61 6E311530 13060355 040B130C 6575726F 73757265
  2E6C616E 31153013 06035504 0A130C65 75726F73 7572652E 6C616E30 1E170D31
  35303330 38303830 3532355A 170D3138 30333037 30383035 32355A30 81993133
  30310609 2A864886 F70D0109 01162463 68726973 746F666F 726F732E 70616E61
  79694061 74686C6F 697A6F75 2E636F6D 2E637931 10300E06 03550408 13076E69
  636F7369 61310B30 09060355 04061302 63793115 30130603 55040313 0C657572
  6F737572 652E6C61 6E311530 13060355 040B130C 6575726F 73757265 2E6C616E
  31153013 06035504 0A130C65 75726F73 7572652E 6C616E30 819F300D 06092A86
  4886F70D 01010105 0003818D 00308189 02818100 C7DFF639 00AAD60E DE260ED6
  87BEF428 A49386A2 5A4A6137 12811855 A8582E12 58ADAB6E 796E97EF 7A67309B
  F8F782BA 4BC027BB E751C271 DB81246E 8B975F40 648E0594 12C6162B 8B85ABB8
  E97732A9 0914C6A4 1AB99A3B 7676FBB7 74D9E2C0 0D5EDF59 CC705BD5 ADE10227
  48EDE22A DA782E6E CE813B71 63327693 2B8A3BA3 02030100 01A36330 61300F06
  03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F
  0603551D 23041830 168014D6 85F27FA8 59599438 BD252971 0BD29665 4E2F1930
  1D060355 1D0E0416 0414D685 F27FA859 599438BD 2529710B D296654E 2F19300D
  06092A86 4886F70D 01010405 00038181 00BAD0D8 41D25EE0 8546C804 05B82812
  28AA37A0 93247B1B A405622A 4553E897 B099DAF9 04F818A7 D1BB21D0 0343C186
  D5CCBCB7 6FB89E2F BD75ACB9 7B2FBB1F C5C0EF69 DBFFAB0E EB4F20AD 0DDCDAD5
  8B933B61 E6319A9C F73BD27E 61E90A9A FDD94EF9 0AE82CDA 12BC2D5B C1122649
  59236893 C5A1F5F1 D45C5471 01C87F98 1D
        quit

 

 

!
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.07021-k9.pkg sequence 2

!
interface Virtual-Template3
 mtu 1406
 ip unnumbered GigabitEthernet0/0.1
!

ip local pool SSL_admin_pool 192.168.251.1 192.168.251.254

!

ip nat inside source list 100 interface GigabitEthernet0/1 overload

!

access-list 100 deny   ip 126.0.0.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 100 permit ip any any

!

!
webvpn gateway gateway_1
 hostname CRXX
 ip address 213.X.X.X port 443
 http-redirect port 80
 ssl trustpoint CRXX
 inservice
 !
webvpn context ADMINS_Policy
 secondary-color white
 title-color #CCCC66
 text-color black
 virtual-template 3
 aaa authentication list ciscocp_vpn_xauth_ml_1
 gateway gateway_1
 !
 ssl authenticate verify all
 inservice
 !
 policy group policy_1
   functions svc-enabled
   svc address-pool "SSL_admin_pool" netmask 255.255.255.255
   svc default-domain "eurosure.lan"
   svc keep-client-installed
   svc dns-server primary 126.0.0.2
   svc dns-server secondary 126.0.0.1
 default-group-policy policy_1
!

 

 

 

 

 

 

 

2 people had this problem
Labels:
Preview file
13 KB
Preview file
56 KB
0 Helpful
6 Replies 6

johnd2310
Level 8
Level 8

‎03-09-2015 05:58 PM

Hi,

This could be due to the anyconnect not trusting the certificate on the router. Install valid certificate on the router or if this is a home\lab router, import the router's certificate into your PC.

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful

christoforos panayi
Level 1
Level 1
In response to johnd2310

‎03-10-2015 01:47 AM

i appreciate your reply

 

which certificate has to be changed the rsa or pki trustpoint. Are both necessary for the SSL VPN?

what do you mean valid certificate?

 

thanks

0 Helpful

christoforos panayi
Level 1
Level 1
In response to christoforos panayi

‎03-10-2015 11:31 AM

Guys I have cretated the certificates with less characters and is now working properly. Thanks for your advise

0 Helpful

dlongpre
Level 1
Level 1
In response to christoforos panayi

‎09-14-2015 03:53 PM

Hi Chris,

What do you mean you have created certificate with less characters?

 

I have the same problem here...

Tushar Bangia
Level 1
Level 1

‎03-09-2015 08:39 PM

Hi Chris,

 

Please run "Debug webvpn" and try to connect, you should be able to see the exact reason for connection not working.

 

 

Regards,

 

Tushar Bangia

 

Note: Please rate the post if you find it helpful!!

0 Helpful

daniel.toader
Level 1
Level 1

‎03-13-2015 05:40 AM

hello,

""

Also, after update windows 8.1, I think, it is no longer work with ssl encryption rc4-sha1 !
When my config contain the ssl encryption rc4-sha1
I get the error:
"Failed to get configuration because AnyConnect cannot confirm it is connected to your secure gateway. Contact your system administrator".


After I change it to: ssl encryption aes128-sha1, AnyConnect client can connect to ASA.

"

WORK!!

:)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card