Hi Jon,

Jon Are Endrerud · ‎01-20-2016

Hey everyone.

Im having some trouble with the Anyconnect functionality on the Cisco ASA. Currently the setup is a 5555-X with 9.2(3)4 fw, Anyconnect is on the latest version anyconnect-win-4.2.01035-k9.pkg.

i just upgraded from a 5550 with 8.2 fw, the problem also existed in that configuration.

i have checked on the both radius and certificate validation. Everything works ok without certificate check...

When connectiing with the client it says "Certificate Validation Failure". If I exit(close) the client and tries again it can suddely go through without the check. If I exit again and try, I get the failure message. It seems like It skips the certificate check sometimes. Thats the first problem, the second problem of course is the certificate itself. Im using wildcard checks in the XML file to match it up with the computer cerfificate.

Any advice would be super-great. Thanx in advance.

Please rate as helpful, if that would be the case. Thanx

jagmeesi · ‎01-20-2016

Hi Jon

Can you please provide the following information :

1. From Which OS(Version as well), you are trying to connect.

2. If its windows , where the certificate is located : Machine Store or User Store.

3. Did you tried to collect the Anyconnect DART logs at the client side, if yes can you attach the same.

Regards

Jagmeet.

Jon Are Endrerud · ‎01-20-2016

I dont think this is os related. Have been the same on win7,8 and 10. The certificate is machine. Will try to find more debug logs tomorrow.

Since this problem have existed for years with the old 5550 8.2 I thought it would be something with the configuration.

I also use a web page that lauches the activex plugin. This is for use with a sms passcode solution. This has become a nightmare with browsers.

Will return with logs.

Please rate as helpful, if that would be the case. Thanx

zoltan.varga0217 · ‎01-07-2017

Hi Jon,

we have been struggling with the exact same problem for weeks but we had found a solution. Just to be sure the symptom is the following: the initial VPN connection using the hostname of the ASA without a downloaded profile succeed but connecting using the downloaded profile not, error "Certificate validation failure".

The solution:
1. You need to specify a group URL (ie. https://<yourhostname>/CERT_VPN) in your connection profile / Advanced / Group Alias/Group URL section.

2. In your Anyconnect profile in the server list section the User Group (CERT_VPN) must match in every character with the previously configured URL

After we set this up the error had gone.

Jon Are Endrerud · ‎01-13-2017

We came up with a creative work around when we had the problem. Will check out your solution. Thanks for the tip.

Please rate as helpful, if that would be the case. Thanx

zoltan.varga0217 · ‎01-13-2017

Some heads-up about cert authentication. Today I realized that Anyconnect installation through the ASA website works only if you use the configured Group-URLs to access the ASA. If not Cert validation failure message comes up.

Jon Are Endrerud · ‎01-21-2016

Picked up a new certificate from our cert server and I can get access sometimes. Have to click the login button several times, then the certification error goes away. The hole thins seems buggy and impossible to understand fully. Especially since the problem where exactly the same on 8.2 as on 9.x.

Please rate as helpful, if that would be the case. Thanx

Anyconnect and Certificates +