cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
56310
Views
180
Helpful
28
Replies
Highlighted
Beginner

AnyConnect: Got an error after updating macOS Catalina

I got this error after updating to macOS Catalina. I have tried to install the version 4.6, 4.7, 4.8 but still the same.

 

"AnyConnect cannot confirm it is connected to your secure gateway.  The local network may not be trustworthy.  Please try another network."

 

Any ideas are welcome.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

open terminal and do the following (you will need administrator rights on your Mac)

cd /opt/cisco/AnyConnect

sudo nano AnyConnectLocalPolicy.xml
Then edit the field for ExcludeMacNativeCertStore to "true"
<ExcludeMacNativeCertStore>true</ExcludeMacNativeCertStore>
^X  (control X to exit)
press Y to indicate that you want to save
press enter to accept the existing name
Quit AnyConnect and start it up again.  You will now receive a certificate warning with the option to continue and, if available, install the certificate.
--
Please remember to select a correct answer and rate helpful posts

View solution in original post

28 REPLIES 28
Highlighted
VIP Advisor

Are you using a third party certificate on the ASA? if yes is the CA certificate also installed on the Mac?  

If no, have you installed the ASA self signed certificate in the Mac?

--
Please remember to select a correct answer and rate helpful posts
Highlighted

This worked for a user I had who had this issue.

 

Not sure what changed on Mac with this but on Catalina the user installed the self signed from the firewall. They were then able to connect again!

 

Thanks!

Highlighted

Could you please select the post as the correct answer so we stop monitoring the question if it is solved.

Thank you.

--
Please remember to select a correct answer and rate helpful posts
Highlighted

How to install the self signed from the firewall? 

My workmate talked me all certificates should be installed automatically when you connect to the VPN.

Highlighted

"Are you using a third party certificate on the ASA? if yes is the CA certificate also installed on the Mac?"

I am not sure. But I have exported the CA certificate from the other Mac and install it on my Mac, unfortunately it still doesn't work.

Highlighted
Beginner

Hello,

 

I recently updated to MacOS Catalina (v10.15) and since then I am getting this error (Anyconnect cannot confirm if its connected to your secure gateway...) while connecting via vpn (even tried updating to the latest version of VPN client - v4.8.00175).

 

We do not have any certificate installed on the ASA. Any thoughts on how do I get this working?

Highlighted

The problem is that the certificate (either 3rd party signed or self-signed) that is loaded on your ASA was created with an RSA key of size lower than 2048:

 

ASA# sh run ssl
ssl trust-point AC_cert Outside

ASA# show crypto ca certificates AC_cert
Certificate
  Status: Available
  Certificate Serial Number: xxxx
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)  <<<<<

 

Starting on MacOS 10.15 (Catalina), those certificates are no longer trusted by Apple and therefore you will receive the error message on AnyConnect

 

 https://support.apple.com/en-us/HT210176

TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. 
Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
 
Do NOT change the AnyConnectLocalPolicy.xml file on the Macbook!
Regenerate your certificate using either an RSA key of at least 2048 bits or using an ECDSA key instead!  
Highlighted
Beginner

upgraded to Catalina and got Cisco Anyconnect version 4.8.00175

All certificates are there. 

Connection error:

Posture Assessment Failed: Unable to download CSD library. Please try again

Any ideas?

 

Highlighted
VIP Advisor

open terminal and do the following (you will need administrator rights on your Mac)

cd /opt/cisco/AnyConnect

sudo nano AnyConnectLocalPolicy.xml
Then edit the field for ExcludeMacNativeCertStore to "true"
<ExcludeMacNativeCertStore>true</ExcludeMacNativeCertStore>
^X  (control X to exit)
press Y to indicate that you want to save
press enter to accept the existing name
Quit AnyConnect and start it up again.  You will now receive a certificate warning with the option to continue and, if available, install the certificate.
--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Highlighted

I have tired the suggested change. I get a warning and hit Connect Anyway, and then I go right back to the same error.

 

Screen Shot 2019-10-23 at 5.33.53 PM.pngScreen Shot 2019-10-23 at 5.34.48 PM.png

 

Any thoughts on what may still be the problem? This groups is the closest thing I have found. Thanks!

Highlighted

Same issue.  After updating the XML file, I got the Certificate is from an untrusted source.

I tried Connect Anway (with and without  Always Trust Server... checkbox checked)

 

Screen Shot 2019-11-06 at 11.19.48 AM.png

 

I just upgraded from macOS 10.14.x to macOS 10.15.1 in place.

I upgrade my AnyConnect client from 4.6.x to 4.8.00175

 

VPN had been working fine under Mojave.  

 

Reading (now) others are having issues in this forum and around the web.

 

Any suggestions

Highlighted

When I tick the "Always trust this server and import the certificate" checkbox, the login fails -- if I do NOT check that box, the login succeeds for me.

Highlighted

Many thanks !!!!
Highlighted

This worked perfectly to get the VPN module to work again. Do you have any recommendations on how to get it to work with the ISE Posture module? We only use publicly signed certs on the portal for ISE. The ISE posture module is having the same issue as the VPN module, because the rest of the ISE certs are self-signed (Internal PKI signed).