Valid Enrollment Certificate but AnyConnect Reports it has expired.

Jeffrey Pomeroy · ‎06-05-2015

Since June 3, after several WinUpdates were completed, several users of the SSL VPN using AnyConnect have been unable to connect via VPN. They have enrollment certificates for two-factor authentication (we use SecureAuth) with valid dates that havent expired. The people have successfully connected before using the same certificates. Since the updates occurred, when they start AnyConnect, it tells them their enrollment certificate has expired and they need to enroll again. When they try to re-enroll using the web portal (we dont allow new enrollment certificates through AnyConnect), Internet Explorer crashes/stops working. This happens in IE 8,9, and 10. I havent heard of it in 11 yet. All OS are Windows 7. Any ideas on whey AnyConnect thinks an otherwise valid certificate has expired when it should still be valid based on dates ?

Boris Uskov · ‎06-08-2015

Hello, Jeffrey.

Try to switch off the option on Anyconnect Client "Enable automatic certificate selection".

After it the Anyconnect Client will promt you to choose the certificate for authentification manually each time you try to connect. This can help you to prove, that anyconnect chooses the proper certificate.

Where do you have Certificate Authority? Is it configured on Cisco ASA, or you use Microsoft CA? Or something else?

Jeffrey Pomeroy · ‎06-08-2015

Thanks for your suggestion but I already have the autoselect certificate disabled from the client config on the ASA.

The certificate authority is on the ASA. For enrollment we use two-factor authentication with a SecureAuth server. Enrollment is done every 90 days through the web browser (not AC). Otherwise people use AnyConnect for their VPN connections. The authentication goes back to Microsoft AD to determine user VPN authorization.