cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3089
Views
0
Helpful
4
Replies

AnyConnect 3.0.5080, ASA image 8.4(3) and ExcludeFirefoxNSSCertStore problem

I have an issue with AnyConnect 3.0.5080 and ASA image 8.4(3) with AnyConnectLocalPolicy.xml in use. The problem appears while authenticating users based on the client certificate + ldap and using AnyConnectLocalPolicy.xml with ExcludeFirefoxNSSCertStore set to true.

There are two consecutive messages that say: AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again. and then The certificate on the secure gateway is invalid. A VPN connection will not be established.

Of course I put CA and clients certs in /opt/.cisco/certificates/... ASA's identity certificate is not self-sign and 100% vaild. I'm using linux machine (Ubuntu 11.10).

As soon as I change ExcludeFirefoxNSSCertStore value from true to false everything works perfectly and AnyConnect uses client pem files located in /opt/.cisco/...

Any idea? My goal is to make client VPN configuration Firefox independent.

Regards,

Gabriel

4 Replies 4

I have just tested scenario where I tried to established VPN connection using cert machine store (/opt/.cisco/certificates/) and ASA local aaa database and I had no firefox installed on the client machine. The result was exactly the same....

AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.

The certificate on the secure gateway is invalid. A VPN connection will not be established.

Is seems that there is no way to successfully establish connection without firefox installed. Can anyone confirm that issue?

Regards,

Gabriel

Was anyone able to resolve this issue?

I tried to put server's certificate chain into ~/.cisco/certificated/ca/ but it did not help.

Hi Vadim,

  • Can you post your ASA's Identity certificate here? No private key needed of course!
  • Did you import all intermediate CA certs and root CA cert into the ASA cert store?

Gabriel Skupien

Thank you Gabriel for reply.

I was able to resolve this issue. It turned out to be not related to ExcludeFirefoxNSSCertStore option at all. I got an error due to incorrect format of AnyconnectLocalPolicy.xml file. I took this file from Cisco's documentation@

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac08localpolicy.html. However example is missing quotes on xmlns and xmlns:xsi elements in tag.

VPN client displayed "certificate invalid" error which is why I thought that it can not validate certificate itself:

>> error: The certificate on the secure gateway is invalid. A VPN connection will not be established.

But when I checked syslog I saw a more informative message which prompted me to validate xml against xsd schema.

...

May 30 13:19:13 MYHOST acvpnagent[30662]: Function: startParser File: Xml/CVCSaxParser.cpp Line: 182 Invoked

Function: xmlParseDocument Return Code: -1 (0xFFFFFFFF) Description: unknown

...

May 30 13:19:13 MYHOST acvpnagent[20544]: Termination reason code 59: Connection attempt failed due to certificate problems.

...