Always-on configuration generates the message "Anyconnect cannot confirm it is connected to your sec...

snowmizer · ‎06-02-2011

I am working on trying to set up our VPN so that we can use the "Always-on" functionality. I have this working up to where the client profile is set up to use "Automatic VPN Policy" and log in using information from my certificates. It is able to determine trusted and untrusted networks. I have turned on the "Always-on" piece of this and now I'm getting the message:

"Anyconnect cannot confirm you are connected to your secure gateway"

From everything I have read this is due to a certificate matchin problem. On the ASA I imported our internal CAs root certificate and used the internal CA to generate the identity certificate for my ASA. I exported the identity certificate from my ASA and loaded this certificate into the certificate store (under User/Personal) on my client PC. The root certificate is also on my client PC.

This is the last hurdle I'm facing to get the "Always-on" VPN working. What am I missing to make the certificate matching work? What is strict mode? Do I need it or is there something here I need to configure?

Thanks.

Patrick Tran · ‎06-06-2011

Hello,

Your certificates configuration seems to be correct.

You can test it by connecting to web interface with IE. If you have no warning, it is OK.

Is your CRL reachable for your client PC?

Patrick

dedwards · ‎09-01-2011

I have similar problem, did you ever get this resolved?

Always-on configuration generates the message "Anyconnect cannot confirm it is connected to your secure gateway"