Solved: AnyConnect Linux 4.8 - Authentication failed

KerryAnderson38836 · ‎07-29-2020

Using the 4.8.03052 Linux client, I am no longer able to logon to my company's VPN.

When I attempt to connect it briefly flashes a window before popping up another saying "Authentication failed due to problem verifying server certificate." This window will not let me close it when it first appears, but after ~10 seconds I can.

Running as root I get a popup to accept the server certificate. Choosing "Connect Once" the same thing happens. Choosing "Always Connect" I get "AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network."

If I start the UI from a terminal, I see this error as soon as I hit Connect (and it repeats if I try to Connect again):

(Cisco AnyConnect Secure Mobility Client:10345): Gtk-CRITICAL **: 16:32:22.473: IA__gtk_combo_box_text_append_text: assertion 'text_column >= 0' failed

What is supposed to happen is that I should be brought to a 3rd party website to begin 2-factor authentication. Until recently this popped in a browser and worked fine, but it was changed to pop within the client, and I haven't been able to connect since. (I am able to connect from the same network on a Windows machine, which pops the 2FA window.)

Best I can tell all dependencies are at their required versions. I am running Mint 19.2; here are my GTK versions:

$ apt list webkit* libgtk* | grep installed
libgtk-3-0/bionic-updates,now 3.22.30-1ubuntu4 amd64 [installed]
libgtk-3-bin/bionic-updates,now 3.22.30-1ubuntu4 amd64 [installed]
libgtk-3-common/bionic-updates,bionic-updates,now 3.22.30-1ubuntu4 all [installed]
libgtk2-perl/bionic,now 2:1.24992-1build1 amd64 [installed]
libgtk2.0-0/bionic,now 2.24.32-1ubuntu1 amd64 [installed]
libgtk2.0-bin/bionic,now 2.24.32-1ubuntu1 amd64 [installed]
libgtk2.0-cil/bionic,now 2.12.40-2 amd64 [installed]
libgtk2.0-common/bionic,bionic,now 2.24.32-1ubuntu1 all [installed]
libgtk3-perl/bionic,bionic,now 0.032-1 all [installed]
libgtkmm-2.4-1v5/bionic,now 1:2.24.5-2 amd64 [installed]
libgtkmm-3.0-1v5/bionic,now 3.22.2-2 amd64 [installed]
libgtksourceview-3.0-1/bionic,now 3.24.7-1 amd64 [installed]
libgtksourceview-3.0-common/bionic,bionic,now 3.24.7-1 all [installed]
libgtkspell0/bionic,now 2.0.16-1.2 amd64 [installed]
webkit2gtk-driver/bionic-updates,bionic-security,now 2.28.3-0ubuntu0.18.04.1 amd64 [installed]

I have reinstalled the client (from predeploy tarball) several times after wiping out all cache/profile data (/opt/cisco, /opt/.cisco, ~/.cisco, ~/.cache/Cisco...) - always results in the same error.

Any ideas?

David Kron · ‎08-07-2020

I had this same problem and TAC couldn't figure it out either. They started digging down trying to troubleshoot the head end, though all other clients worked fine... Eventually, figured it out myself after staring at logs for a while. If your 2fa is popping a web portal for you to log into, anyconnect opens it with WebKitGTK. An intermediate cert in my cert chain wasn't trusted by default on my machine, and I was lazily just hitting allow (as you are) when anyconnect complained about it. This trusts it in anyconnect, and allows you to start a connection. However, when it calls the browser page with WebKitGTK it's using your local machine certificate store, NOT anyconnect's, and if it's not trusted there then it instantly closes the page, hangs for several seconds, and delivers the error.

Once I figured this out I stopped being lazy and imported the missing intermediate cert. The 2fa page immediately started working and I got my Duo push to come through.

View solution in original post

David Kron · ‎08-07-2020

I had this same problem and TAC couldn't figure it out either. They started digging down trying to troubleshoot the head end, though all other clients worked fine... Eventually, figured it out myself after staring at logs for a while. If your 2fa is popping a web portal for you to log into, anyconnect opens it with WebKitGTK. An intermediate cert in my cert chain wasn't trusted by default on my machine, and I was lazily just hitting allow (as you are) when anyconnect complained about it. This trusts it in anyconnect, and allows you to start a connection. However, when it calls the browser page with WebKitGTK it's using your local machine certificate store, NOT anyconnect's, and if it's not trusted there then it instantly closes the page, hangs for several seconds, and delivers the error.

Once I figured this out I stopped being lazy and imported the missing intermediate cert. The 2fa page immediately started working and I got my Duo push to come through.

Rijul Saini · ‎07-12-2021

Hello David,

I believe I am also having the same problem. I am getting the same error message when I open CISCO from the terminal. However, it is not clear what steps I need to follow to resolve this issue. Can you please provide me the steps you followed to resolve this issue? I am sorry for asking more elaboration on this.

David Kron · ‎07-12-2021

It varies by the linux distro you are using, but you have to install the full trust chain for the CA that signed your certs. If you do that, it will begin working.

Sorry can't elaborate more, but different distros will do it in slightly different ways. If you have anyone who can do linux sysadmin, they should be able to take care of it.

Rijul Saini · ‎07-12-2021

Thank you for your response. I am using Ubuntu 20.04.2 and I have the admin rights on my personal laptop. Cisco VPN anyconnect was working earlier for my school network. However, suddenly after connecting with Cisco VPN, the status is "connected" but I am still unable to access the network in browser. Though I verified that the IP changed to that of my school network IP and also I have access to my school network through CISCO but somehow when I connect to other sites which should recognize my school IP does not give me access to their resources. Therefore, it seems I am connected to VPN but some sites are inaccessible in browser which should not be. Also, I get the same error message in the terminal as mentioned in this thread. Would you like to advice here?

RishabhAgrawal06919 · ‎10-21-2020

I am having exactly the same issue. I would be glad if anyone can provide a solution. Thanks

KerryAnderson38836 · ‎10-21-2020

David's solution of importing the whole cert chain resolved the issue for me.

Some tips:

-You can download the whole cert chain to a PEM file using Firefox (can't find the option on Chrome though it may be there somewhere)

-You may need to pull both the 2FA company cert and your company's VPN server cert

-Anyconnect doesn't use the system cert store (/etc/ssl/certs) so you have to import to /opt/.cisco/certificates/ca (or create a symlink to the system certs)

RishabhAgrawal06919 · ‎10-21-2020

Hi, thanks for the reply. I downloaded the cert chain in pem format and added these to the system ca-certificates. I also created the symbolic links for all the cert files in /etc/ssl/certs in /opt/.cisco/certificates/ca. I am still facing the same issue. However, now i dont get the prompt to install the certificates when running as root and it directly tries to open the login widow (which closes immediately).

mikeyjoel · ‎07-13-2022

Those on RHEL 8.x, 9.x and Fedora 37+:

PEM Chain Download

1. Open Firefox and go to the URL used by your VPN provider.

2. To the left of the URL bar, click the icon Lock Icon > Connection Secure > More Information > View Certificate > Miscellaneous > PEM (chain). This will download it to your Downloads folder.

Installing PEM

1. Open Terminal run the following commands:

# Change $certpem to the name of the .pem downloaded earlier from Firefox.

# Elevate your shell priveleges
sudo su

#Set the proper permissions
chown root:root ~/Downloads/$certpem
chmod 444 ~/Downloads/$certpem

# Copy the downloaded cert to system wide trust store
cp ~/Downloads/$certpem /usr/share/pki/ca-trust-source/anchors/

# Update the system wide trust store configuration for the changes to take effect
update-ca-trust

If Cisco AnyConnect is open, close it and re-launch it again.

If you are still getting the same certificate error, repeat the same steps but for your MFA provider. Example, for Duo you would do the same for the common name *.login.duosecurity.com

Reference: Using shared system certificates

Those on RHEL 9.x and Fedora 37:

If you get the following error:

"You are missing the required libraries for the authentication meth

od you requested"

Make sure to installwebkit2gtk4.0

sudo dnf install -y webkit2gtk4.0

Tested working with Cisco Anyconnect 4.9+ and Cisco Secure Client 5

123456789ali · ‎11-19-2023

close the cisco vpn application

download the application from the source

sudo bash <AnyconnectFile.sh>

sudo apt update

sudo apt install -y libwebkit2gtk-4.0-37

sudo apt update

ADDRESS=<write your IP or Domain>

echo | openssl s_client ${ADDRESS}:443 | openssl x509 > ${ADDRESS}.crt

cp TheCertificateFromabove.crt /usr/local/share/ca-certificates/

sudo update-ca-certificates

sudo apt update

/opt/cisco/secureclient/bin/vpnui

this is helped me with ubuntu 22.4 and cisco secure client 5.0.05040