Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
134423
Views
226
Helpful
30
Replies

AnyConnect: Got an error after updating macOS Catalina

Go to solution
BevisChen00743
Level 1
Level 1

‎10-09-2019 01:15 AM - edited ‎02-21-2020 09:46 PM

I got this error after updating to macOS Catalina. I have tried to install the version 4.6, 4.7, 4.8 but still the same.

 

"AnyConnect cannot confirm it is connected to your secure gateway.  The local network may not be trustworthy.  Please try another network."

 

Any ideas are welcome.

29 people had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎10-16-2019 11:55 PM

open terminal and do the following (you will need administrator rights on your Mac)

cd /opt/cisco/AnyConnect

sudo nano AnyConnectLocalPolicy.xml
Then edit the field for ExcludeMacNativeCertStore to "true"
<ExcludeMacNativeCertStore>true</ExcludeMacNativeCertStore>
^X  (control X to exit)
press Y to indicate that you want to save
press enter to accept the existing name
Quit AnyConnect and start it up again.  You will now receive a certificate warning with the option to continue and, if available, install the certificate.
--
Please remember to select a correct answer and rate helpful posts

View solution in original post

30 Replies 30

Go to solution
Marius Gunnerud
VIP
VIP

‎10-09-2019 08:22 AM

Are you using a third party certificate on the ASA? if yes is the CA certificate also installed on the Mac?  

If no, have you installed the ASA self signed certificate in the Mac?

--
Please remember to select a correct answer and rate helpful posts

Go to solution
ARizzo
Level 1
Level 1
In response to Marius Gunnerud

‎10-09-2019 09:21 AM

This worked for a user I had who had this issue.

 

Not sure what changed on Mac with this but on Catalina the user installed the self signed from the firewall. They were then able to connect again!

 

Thanks!

Go to solution
Marius Gunnerud
VIP
VIP
In response to ARizzo

‎10-09-2019 10:45 AM

Could you please select the post as the correct answer so we stop monitoring the question if it is solved.

Thank you.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
BevisChen00743
Level 1
Level 1
In response to ARizzo

‎10-13-2019 06:36 PM - edited ‎10-13-2019 06:39 PM

How to install the self signed from the firewall? 

My workmate talked me all certificates should be installed automatically when you connect to the VPN.

0 Helpful

Go to solution
BevisChen00743
Level 1
Level 1
In response to Marius Gunnerud

‎10-13-2019 07:26 PM

"Are you using a third party certificate on the ASA? if yes is the CA certificate also installed on the Mac?"

I am not sure. But I have exported the CA certificate from the other Mac and install it on my Mac, unfortunately it still doesn't work.

0 Helpful

Go to solution
ram_euhr
Level 1
Level 1

‎10-15-2019 09:02 AM

Hello,

 

I recently updated to MacOS Catalina (v10.15) and since then I am getting this error (Anyconnect cannot confirm if its connected to your secure gateway...) while connecting via vpn (even tried updating to the latest version of VPN client - v4.8.00175).

 

We do not have any certificate installed on the ASA. Any thoughts on how do I get this working?

0 Helpful

Go to solution
Erick Guazo
Cisco Employee
Cisco Employee
In response to ram_euhr

‎04-07-2020 06:43 PM

The problem is that the certificate (either 3rd party signed or self-signed) that is loaded on your ASA was created with an RSA key of size lower than 2048:

 

ASA# sh run ssl
ssl trust-point AC_cert Outside

ASA# show crypto ca certificates AC_cert
Certificate
  Status: Available
  Certificate Serial Number: xxxx
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)  <<<<<

 

Starting on MacOS 10.15 (Catalina), those certificates are no longer trusted by Apple and therefore you will receive the error message on AnyConnect

 

 https://support.apple.com/en-us/HT210176

TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. 
Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
 
Do NOT change the AnyConnectLocalPolicy.xml file on the Macbook!
Regenerate your certificate using either an RSA key of at least 2048 bits or using an ECDSA key instead!  

Go to solution
katony
Level 1
Level 1
In response to Erick Guazo

‎02-06-2024 12:44 PM

Why shouldn't the AnyConnectLocalPolicy.xml file be edited? Was does editing it do? Any type of vulnerability? explanations please.

0 Helpful

Go to solution
ageekinthecity
Level 1
Level 1

‎10-15-2019 09:42 AM

upgraded to Catalina and got Cisco Anyconnect version 4.8.00175

All certificates are there. 

Connection error:

Posture Assessment Failed: Unable to download CSD library. Please try again

Any ideas?

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎10-16-2019 11:55 PM

open terminal and do the following (you will need administrator rights on your Mac)

cd /opt/cisco/AnyConnect

sudo nano AnyConnectLocalPolicy.xml
Then edit the field for ExcludeMacNativeCertStore to "true"
<ExcludeMacNativeCertStore>true</ExcludeMacNativeCertStore>
^X  (control X to exit)
press Y to indicate that you want to save
press enter to accept the existing name
Quit AnyConnect and start it up again.  You will now receive a certificate warning with the option to continue and, if available, install the certificate.
--
Please remember to select a correct answer and rate helpful posts

Go to solution
WorldViewDeLuca
Level 1
Level 1
In response to Marius Gunnerud

‎10-23-2019 03:35 PM

I have tired the suggested change. I get a warning and hit Connect Anyway, and then I go right back to the same error.

 

Screen Shot 2019-10-23 at 5.33.53 PM.pngScreen Shot 2019-10-23 at 5.34.48 PM.png

 

Any thoughts on what may still be the problem? This groups is the closest thing I have found. Thanks!

0 Helpful

Go to solution
DM6805
Level 1
Level 1
In response to WorldViewDeLuca

‎11-06-2019 08:25 AM

Same issue.  After updating the XML file, I got the Certificate is from an untrusted source.

I tried Connect Anway (with and without  Always Trust Server... checkbox checked)

 

Screen Shot 2019-11-06 at 11.19.48 AM.png

 

I just upgraded from macOS 10.14.x to macOS 10.15.1 in place.

I upgrade my AnyConnect client from 4.6.x to 4.8.00175

 

VPN had been working fine under Mojave.  

 

Reading (now) others are having issues in this forum and around the web.

 

Any suggestions

0 Helpful

Go to solution
dcamp
Level 1
Level 1
In response to WorldViewDeLuca

‎11-08-2019 11:30 AM

When I tick the "Always trust this server and import the certificate" checkbox, the login fails -- if I do NOT check that box, the login succeeds for me.

Go to solution
cdemont
Level 1
Level 1
In response to Marius Gunnerud

‎10-25-2019 02:03 PM

Many thanks !!!!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents