I will grab a DART and look at the logs collected.

There was a change made by the VPN administrators (not my area) for enabling "Always On" I am being told. The VPN admins are telling me that the problem I am seeing is on the client side, not the server gateway side :-).  That is why I am looking to gather some logs on the client side to verify where the issue lives if possible.  I am thinking the problem is on the gateway side but I am blind to any configuration\changes there.  

My user certificate is displayed in the System section of the keychain.

Did you see this after upgrading to version 4.3.05017? This version came out in December last year so it must not have been long since you have been upgraded. You could check with your VPN administrators to see if the VPN client upgrade corresponds with your failure.

Also, Always On itself should not cause this. But enabling always on requires a change in the client xml profile. There are sections in the XML profile for client cert matching. If you had any rules changed there, it would affect what certificate it looks for for client authentication. Just a thought.

I was trying 4.3.05017 as an attempt to fix this issue.  I started seeing the issue when I was using 4.3.03086.

Can I delete all the .XML profiles from Client side?  Will they get recreated went I start the VPN client and connect to the gateway device?

Yes you can as long as there are no pre-connection settings that are critical for connection (cert selection is one of them). The profile should be updated on a successful connection to the gateway. I would recommend just copying the profile off the folder so that you can re-apply it back if it does not work.

Is there a procedure for putting the CA and User certs in the ~/.cisco/certificates/ca and ~/.cisco/certificates/client directories?  

I was thinking about trying that because it appears that Anyconnect cannot see the certs in the keychain (according to the system.log).

When I run "certtool y"  I can see my company CA and my user certs.

You can directly copy over the files to the PEM store file locations. All the files should be named as .pem though. Also, do not forget to put the private key for your cert in " ~/.cisco/certificates/client/private". If you have your cert in the .p12 format, use openssl (natively installed in MAC OS) to extract the private key and pem certificate file. By default the Anyconnect looks at all certificate stores unless it is explicitly blocked by your administrator.

Okay, here is what I attempted..

I exported my user cert with private key to all.pfx from my Windows 7 machine and copied the file over to Mac.

On Mac:

# openssl pkcs12 -in all.pfx -nocerts -out ~/.cisco/certificate/client/private/private.pem -nodes

# openssl pkcs12 -in all.pfx -nokeys -out~/.cisco/certificate/client/cert.pem -nodes

I see the following Anyconnect error when I attempt to connect.

Feb  1 09:29:14 Cisco AnyConnect Secure Mobility Client[7389]: Function: enumerateCert File: ../../vpn/CommonCrypt/Certificates/FileCertStore.cpp Line: 193 Invoked Function: _tstat Return Code: 2 (0x00000002) Description: unknown missing private key for client cert file: /Users/archspangler/.cisco/certificates/client/cert.pem

Seems like something simple but I cannot figure it out.

Can you open the private key file in a notepad and see if you see a readable format? The private key might be encrypted.The key should show up like this:

-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAMSREjcq8SgzJmMcmObnMMHLYOdslNFwJImuMDG+L/ED5qOJ/oah
--
--
-----END RSA PRIVATE KEY-----

You may need to decrypt it using this command:

openssl rsa –in private.pem -out private_dec.pem

I see..

Bag Attributes

    localKeyID: 01 00 00 00

    Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0

    friendlyName: le-DefaultUserCertificate-e7e8b26a-1cb6-4a5f-8cc6-ad90ccd42249

Key Attributes

    X509v3 Key Usage: 80

-----BEGIN RSA PRIVATE KEY-----

MIIEpAIBAAKCAQEApHvZ62rqaH2HA9ynZo4gzRHKBRFDsY6OchSuNtvLWQBFmtWC

...

...

-----END RSA PRIVATE KEY-----

Do I need to remove the lines above the ----- BEGIN ?

Yes. Just keep the section from Begin to End Private Key (line included).

Okay.. I got past that by the following...

~/.cisco/certificates (the issuer cert in subdirectory /ca, the client cert in /client, the private key in /client/private). CA cert and client cert need to have .pem extention, private key needs to have same filename as client cert but with .key instead of .pem.

Same filename and .key was my issue.

I see in the logs now where anyconnect finds my user cert  and CA.. but I am still getting the below error. 

Feb 1 10:48:14 Cisco AnyConnect Secure Mobility Client[8789]: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 3274 Certificate authentication requested from gateway, no valid certs found in users cert store.

Feb 1 10:48:14 Cisco AnyConnect Secure Mobility Client[8789]: Message type warning sent to the user: No valid certificates available for authentication.

What Key usage and Extended Key Usage parameters do you have on the user cert?

Also, can you attach a sanitized client xml profile from your MAC. Location should be the one below

/opt/cisco/anyconnect/profile

If you have multiple profiles, past all of them.

EKU:

Secure Email (1.3.6.1.5.5.7.3.4)
Client Authentication (1.3.6.1.5.5.7.3.2)

KU:

Digital Signature, Non-Repudiation (c0)

Let me clean up the profiles/*.xml and I will attach them.