Solved: Cisco AnyConnect Secure Mobility Client - Newbie Totally Lost

cpremo · ‎11-12-2012

We currently have an ASA 5505 Firewall with VPN services configured. The system is running ASA Version 9.0.0 and ADSDM 7.0.2. I installed the "Cisco AnyConnect Sercure Mobility Client" Version 3.1.01065 on my Windows 7 Ultimate PC. When I try to connect to my VPN service I ge the following message:

Security Warning: Untrusted VPN Server Certificate! AnyConnect cannot verify the VPN server: XXX.XXX.XX.XX

Certifiate does not match the server name

Certificate is from an untrusted source.

Certificate is not identified for this purpose.

Without purchasing a certificate from a 3rd Party vendor, is it possible to register a "Self" generated Certificate to get rid of this message? If so are there any "Detailed" (e.g., simplified or not in Cisco-eeze language) instructions on how to setup the Firewall to "push" the certificate to the VPN client so the message doesn't come up for the user?

Marvin Rhoads · ‎11-13-2012

I may have incorrectly assumed your remote access VPN ever worked.

Comparing your error message with the one I get when I tell my client to block connections to untrusted servers shows that I get a single, different warning screen (below). I suspect you may have more than just the client side issue. Can you share your configuration?

View solution in original post

Marvin Rhoads · ‎11-12-2012

You can simply accept the self-signed certificate the first time you are presented with that message and direct AnyConnect to always trust such certificates.

If you don't want to do that, you need to make your clients automatically trust this certificate from your ASA. You can do that several ways. You mentioned using a 3rd party vendor - that ends up being the method of using a vendor in the trusted root Certificate Authority (CA) list. If you don't use one of the 3rd party ones, you will need to push out the trust via some software deployment method - e.g. a GPO for Windows clients in a managed AD setup or via pre-deploying with yet another 3rd party tool like LANdesk.

If you don't have an internal CA or AD-managed infrastructure for your clients then just telling users to click "always trust" is the path of least resistance (although the least secure).

cpremo · ‎11-13-2012

In the prior version of the VPN Client I saw this option. In the new version, I don't see where you can accept the self-signed certificate.

Marvin Rhoads · ‎11-13-2012

When you click "Connect Anyway", I believe you get an option to then choose "always" or some such.

What you end up with is this setting (no check next to "Block connections from untrusted servers") in your Anyconnect preferences:

cpremo · ‎11-13-2012

Nope. Same problem. When I log in I still see the certificate error. I've tried you settngs, but no change.

Marvin Rhoads · ‎11-13-2012

I may have incorrectly assumed your remote access VPN ever worked.

Comparing your error message with the one I get when I tell my client to block connections to untrusted servers shows that I get a single, different warning screen (below). I suspect you may have more than just the client side issue. Can you share your configuration?

Haider Malik · ‎05-26-2017

Hello .

I have exactly the same issue.

I need to know what have changed on the ASA to work this ?

Let me if there is anything i need to change on the ASA ?

i have ASA 5506 .

Haider Malik · ‎05-26-2017

vpn client setting

Marvin Rhoads · ‎05-26-2017

Your ASA appears to be using a self-signed certificate and/or one that does not have the Fully-Qualified Domain Name (FQDN) matching the Common Name (CN) field of the certificate.

Getting a signed certificate from a trusted public Certificate Authority (CA) and making sure that your Certificate Signing Request (CSR) has the correct CN will usually fix that issue.

If you click on "Connect Anyway" does it proceed to connect successfully?

Haider Malik · ‎05-28-2017

Hello Marvin

Thank you for the reply .

I dont see any cert is actually in the ASA .

When i click "Connect Anway" it simply disconnected with failed certificate error . "No valid certificate available for authentication"

Would it be possible to have a remote vpn connection setup without certificate ?

I use to have a ASA 5505 before and there was no such issue.

even i set the profile only to use AAA .

Marvin Rhoads · ‎05-28-2017

Since AnyConnect fundamentally uses SSL VPN, you must have some sort of certificate - either CA-issued or self-signed. (There is an obscure corner case of strictly IKEv2 AnyConnect remote access VPN but it is very rarely used outside of areas where it is required for mainly governmental compliance reasons.)

Check under the top level menu of your Connection Profile for a certificate. You may have a malformed entry specified there or inadvertently deselected the self-signed certificate that is commonly used.

JustTakeTheFirstStep · ‎11-13-2019

I'm reading this post ten years after it's published.

I'm facing the same problem.

Do I need to install the certificate on the ASA?

If you have a guide, please let me know the URL.