Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
0
Helpful
3
Replies

Can't setup tunnel using anyconnect on Mac

sundell810
Level 1
Level 1

‎12-18-2017 08:45 AM - edited ‎03-12-2019 04:51 AM

 

When try to fire a connection the error arose like "the server certificate received or its chain does not comply with FIPS",  it seems this is related to FIPS mode which could be controlled by local policy, and it's set to false already there.

 

<?xml version="1.0" encoding="UTF-8"?>

<AnyConnectLocalPolicy xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectLocalPolicy.xsd" acversion="3.1.04066">

<FipsMode>false</FipsMode>

<StrictCertificateTrust>false</StrictCertificateTrust>

</AnyConnectLocalPolicy>

 

Version of AnyConnect Secure Mobile Client - 3.1.04066

macOS: High Sierra - 10.13.2

 

BTW, it's all good to connect to the same ASA from other windows machines and it's been there for quite some time. the issue only appears to the Mac book.

Labels:
0 Helpful
3 Replies 3

GioGonza
Level 4
Level 4

‎12-18-2017 08:57 AM

Hello @sundell810

 

You can change that value from the file and save it as TRUE, after you apply this change reboot the machine and verify again the file, test the connection and everything should be working fine. 

 

HTH

Gio

0 Helpful

sundell810
Level 1
Level 1
In response to GioGonza

‎12-18-2017 11:11 AM

Thanks for your reply, I think we need to actually disable the FipsMode to make it work since the client is complaining the incompatibilty of the downloaded certificate, changing it to be true will enforce the client to be in FipsMode, right? don't know how that could solve the issue.

0 Helpful

GioGonza
Level 4
Level 4
In response to sundell810

‎12-18-2017 11:34 AM

Hello @sundell810

 

Based on this message "the server certificate received or its chain does not comply with FIPS", that could indicate the ASA is using FIPS or higher algorithms that Mac device don´t comply. If you make true, it will use the highest values for the OS and test the connection with that. 

 

Also, if you like you can provide the DART for Windows and Mac devices in order to look further the differences. 

 

HTH

Gio

0 Helpful
Customers Also Viewed These Support Documents