Anyconnect client behind firewall refuses VPN connection due to invalid certificate

Renobucco · ‎07-09-2019

My computer is behind a Sophos firewall that has HTTPS decryption / scan enabled. Now my Cisco Anyconnect client refuses to connect to VPN (the VPN of my university) because the certificate on the secure gateway is invalid. I've got a .pem file with the certificate that I had installed on my macOS keychain and for the browsers I use. Since I think the refusing of VPN connection is due to the fact, that Anyconnect isn't aware of this certificate: how can I install it on macOS? I much appreciate answers or some hints.

Mike.Cifelli · ‎07-16-2019

Peep this: https://support.securly.com/hc/en-us/articles/206058318-How-to-install-the-Securly-SSL-certificate-on-Mac-OSX-

Also, as a heads up there is a way to disable AnyConnect from blocking connections to untrusted servers. However, this must be configured on the ASA side.

shgrover · ‎07-16-2019

hello

I understand that the situatuon is as below:-

Anyconnect machine ---SOPHOS ---ASA

I haven't practically done this however ideally if the SOPHOS cert is trusted by your anyconnect machine and ASA cert is trusted by the SOPHOS firewall then the SSL handshake should work given that the cipher suites are also in line.

you could do the above and then check.

Also, SSL anyconnect needs TCP and UDP 443 to be able to talk to the ASA.

You can take a packet capture and see if the SSL handshake goes through or not.

Regards

Shikha Grover

Please always mark helpful posts.