Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3088
Views
0
Helpful
4
Replies

AnyConnect 3.0.5080, ASA image 8.4(3) and ExcludeFirefoxNSSCertStore problem

gabriel.skupien.ccig
Level 1
Level 1

‎03-01-2012 03:36 AM - edited ‎02-21-2020 05:55 PM

I have an issue with AnyConnect 3.0.5080 and ASA image 8.4(3) with AnyConnectLocalPolicy.xml in use. The problem appears while authenticating users based on the client certificate + ldap and using AnyConnectLocalPolicy.xml with ExcludeFirefoxNSSCertStore set to true.

There are two consecutive messages that say: AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again. and then The certificate on the secure gateway is invalid. A VPN connection will not be established.

Of course I put CA and clients certs in /opt/.cisco/certificates/... ASA's identity certificate is not self-sign and 100% vaild. I'm using linux machine (Ubuntu 11.10).

As soon as I change ExcludeFirefoxNSSCertStore value from true to false everything works perfectly and AnyConnect uses client pem files located in /opt/.cisco/...

Any idea? My goal is to make client VPN configuration Firefox independent.

Regards,

Gabriel

Labels:
0 Helpful
4 Replies 4

gabriel.skupien.ccig
Level 1
Level 1

‎03-01-2012 05:00 AM

I have just tested scenario where I tried to established VPN connection using cert machine store (/opt/.cisco/certificates/) and ASA local aaa database and I had no firefox installed on the client machine. The result was exactly the same....

AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.

The certificate on the secure gateway is invalid. A VPN connection will not be established.

Is seems that there is no way to successfully establish connection without firefox installed. Can anyone confirm that issue?

Regards,

Gabriel

0 Helpful

vadik56
Level 1
Level 1
In response to gabriel.skupien.ccig

‎05-29-2012 01:59 PM

Was anyone able to resolve this issue?

I tried to put server's certificate chain into ~/.cisco/certificated/ca/ but it did not help.

0 Helpful

gabriel.skupien.ccig
Level 1
Level 1
In response to vadik56

‎05-29-2012 11:19 PM

Hi Vadim,

  • Can you post your ASA's Identity certificate here? No private key needed of course!
  • Did you import all intermediate CA certs and root CA cert into the ASA cert store?

Gabriel Skupien

0 Helpful

vadik56
Level 1
Level 1
In response to gabriel.skupien.ccig

‎05-30-2012 11:18 AM

Thank you Gabriel for reply.

I was able to resolve this issue. It turned out to be not related to ExcludeFirefoxNSSCertStore option at all. I got an error due to incorrect format of AnyconnectLocalPolicy.xml file. I took this file from Cisco's documentation@

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac08localpolicy.html. However example is missing quotes on xmlns and xmlns:xsi elements in tag.

VPN client displayed "certificate invalid" error which is why I thought that it can not validate certificate itself:

>> error: The certificate on the secure gateway is invalid. A VPN connection will not be established.

But when I checked syslog I saw a more informative message which prompted me to validate xml against xsd schema.

...

May 30 13:19:13 MYHOST acvpnagent[30662]: Function: startParser File: Xml/CVCSaxParser.cpp Line: 182 Invoked

Function: xmlParseDocument Return Code: -1 (0xFFFFFFFF) Description: unknown

...

May 30 13:19:13 MYHOST acvpnagent[20544]: Termination reason code 59: Connection attempt failed due to certificate problems.

...

0 Helpful
Customers Also Viewed These Support Documents