cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
377830
Views
26
Helpful
20
Replies

[AnyConnect] No valid certificates available for authentication

Patrick Tran
Level 1
Level 1
20 Replies 20

Hi Patrick,

Does this user have admin rights on the machine?

Where does the certificate store point to? (setting found in the XML profile).

Does this machine have the same configuration as the others?

This error is usually seen when the AnyConnect is unable to access the certificate store and therefore does not find a valid certificate.

We would need to collect the DART bundle as well to confirm the specific reason for this log.

HTH.

Thanks.

Please rate any helpful posts.

Hello,

Thanks for your answer.

Does this user have admin rights on the machine? Yes (but other users have no problem without admin rights)

Where does the certificate store point to? User

Does this machine have the same configuration as the others? All computers are installed with Master system image and we use an installation package for AnyConnect.

The user has already succeeded to connect.

I'm wondering why this error is flooding the logs...

I will try other tests before installing DART.

Best regards,

Patrick

If anyone else searches for this problem, and finds this: Copying a working profile (

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile) to the effected PC will resolve the issue.

At least, it worked for me.

we had same issue. we did the run as administrator in the priviledge settings as per previous post and worked.

then went back and unchecked the box and it is still working.

the user is administrator on the machine.

but thats a problem since we have to do that on hundred's of machines.

anybody found any permanent solution?

 

Hello Patrick,

Did James advise work for you?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi,

Our installation package copy automatically a working profile on :\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile so this computer already got it...

We can close the ticket.. I think that the user has no problem anymore or has changed his computer

Thanks for your help,

Patrick

Sorry , did not understand the profile thing can u please explain ? do we havce to upload this profile on asa?

Hi Javier,

I have the same problem though in my case all users have always been connection until today. I short no one is able to connect to the VPN all of a sudden and the error we are all getting is No valid certificates available for authentication. 

darebin
Level 1
Level 1

I also had the problem of "no valid certificates available for authentication", although it only prompted once, rather than a flood like the OP.

However, the cause and solution for my problem was:

The certificate used for authentication was issued by my internal CA, to the Computer, NOT the user.

Although the user that is logged on is a local administrator, the AnyConnect Client application does not have the permission to send the certificate from the Computer store.

The application needs to 'run as administrator'

Right-click the application shortcut-> Properties->Compatibility->Privilege Level.

Tick ->Run This Program As Administrator.

I needed to reboot the client pc before this worked.

n.b I was using Windows 8

I had the same problem after a pc crash (bod).

 

Rebooting the pc didnt fix the issue.

 

I check with the windows mmc that the certificate was there, valid.

 

I tried again with anyconnect, no way.

 

I opened the vpn profile editor to check the profile file sanity, configuration was right, didnt saved or modifiy the .xml profile file. After this annyconnect start working again, without touching admin privileges or the profile file.

 

So, rare issue.

 

Chris Ingram
Level 1
Level 1

I have an odd issue.  I have a user that is getting this exact same error but this tunnel group on this ASA is not even configured for certificate authentication.  I'm pasting the user's message below because the user provided log messages for the failures.  I'm going to request the successful attempt logs, too.  I wouldn't have believed this if I didn't see the URL myself (being the firewall admin).

 

I seem to have difficulty connecting to the VPN and get the error that "No valid certificates available for authentication." This isn't the first time I've had this issue, but it was the first time it took so long to get it to finally connect.
 
Here is the log from my trying yesterday morning. I'm not sure what eventually made it work, but it did. Is there something I am doing wrong? It took me 20 minutes before I was able to get connected. Unfortunately I didn't go back and add the log messages from the successful connection.
 
10/25/2017
 6:12:14 AM Ready to connect.
 6:13:57 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].
 6:14:57 AM Connection attempt has failed.
 6:14:58 AM No valid certificates available for authentication.
 6:14:58 AM Connection attempt has failed.
 
 6:15:14 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].
 6:16:14 AM Connection attempt has failed.
 6:16:15 AM No valid certificates available for authentication.
 6:16:15 AM Connection attempt has failed.
 
 6:16:40 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].
 6:17:40 AM Connection attempt has failed.
 6:17:41 AM No valid certificates available for authentication.
 6:17:41 AM Connection attempt has failed.
 
 6:17:49 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].
 6:18:49 AM Connection attempt has failed.
 6:18:50 AM No valid certificates available for authentication.
 6:18:50 AM Connection attempt has failed.
 
 6:19:07 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].
 6:20:07 AM Connection attempt has failed.
 6:20:08 AM No valid certificates available for authentication.
 6:20:08 AM Connection attempt has failed.
 
REBOOT
 
10/25/2017
 6:24:46 AM Ready to connect.
 6:28:02 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].
 6:29:02 AM Connection attempt has failed.
 6:29:03 AM No valid certificates available for authentication.
 6:29:03 AM Connection attempt has failed.
 
 6:30:04 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].
 6:31:04 AM Connection attempt has failed.
 6:31:05 AM No valid certificates available for authentication.
 6:31:05 AM Connection attempt has failed.
 
 6:31:49 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].
 6:32:19 AM User credentials entered.
 6:32:19 AM Establishing VPN session...
 6:33:10 AM Connection attempt has failed.

Please Check the XML Profile of AnyConnect, if there is still something abaout the certificates:

 

May you have choose the option: Certificate matching.
Then you should disable that.

 

best regards

Rafael

We have had this very same error, but we were not using certificate authentication.

Please be aware that this same error might popup when you do not use certificate authentication.

The error could be triggered if you are connecting towards an ASA that is missing the anyconnect image definitions in it's running config.

 

Within the webvpn-section we had to add the folowing:

 

anyconnect image shared:/anyconnect/anyconnect-win-webdeploy-k9.pkg 1
anyconnect image shared:/anyconnect/anyconnect-macos-webdeploy-k9.pkg 2
anyconnect image shared:/anyconnect/anyconnect-linux64-webdeploy-k9.pkg 3

Ofcourse these are the actual files on my ASA, they might be different on yours.

 

 

 

Kevin C.
Level 1
Level 1

Thanks for the previous posts - they have at least set me down the right path. I have had AnyConnect installed on both my work and home computers for years and never encountered this issue until about 10 days ago when v4.5.02036 was forced by my employer upon opening the app. The upgrade completed on both computers and works on my work PC, but not my home PC (both are Win7SP1).

 

What I have tried:

 - confirmed with IT department that there is no widespread issue with their installer package - they are as mystified with my problem as I am.

 - uninstalled, including deletion of the /ProgramData/Cisco/ folder, reboot, reinstall (four times)

 - made sure the application is set to run as administrator

 - despite knowing the certificates on this machine were valid and 7 months from expiration, I reinstalled them (Edit: I reinstalled certs for my user, not the computer/all users)

 - copied over the /ProgramData/Cisco/ folder from my work computer on which AnyConnect is successfully running the new version (both before and after a reinstall)

 

If anyone who has successfully fixed this issue took steps not listed here that might make a difference, I'd appreciate a reply. I do have an AnyConnectProfile.xsd file in the /Profile/ directory, but I'm not sure where in that file the certificate path is supposed to be referenced, so I may still be missing what other people in this thread have fixed. Thanks in advance for any assistance.