Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6931
Views
0
Helpful
9
Replies

anyconnect+SAML - failed due to problem verifying server certificate

Go to solution
MarkKruse5137
Level 1
Level 1

‎09-05-2023 11:36 AM

I've gone through a couple of documents for setting up AnyConnect with Azure SAML. The configuration part seemed to go fine, but when the VPN client tried to connect it returns the "cisco secure client authentication failed due to problem verifying server certificate" error. The ASA certificate was issued by an internal CA and both the ASA and client trust this CA.

Not sure what I'm missing here?

Any help would be appreciated.

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gajownik
Cisco Employee
Cisco Employee

‎10-06-2023 10:21 AM

This error happens when the server certificate is not trusted by the PC. Untrusted server certificates are not supported with an Embedded Browser:

------------------------------------------------------------------------------------------------------
When using SAML with Secure Client, follow these guidelines:
- Untrusted server certificates are not allowed in the embedded browser.
------------------------------------------------------------------------------------------------------
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/vpn-remote-access.html#reference_pdf_cx3_psb

In order to troubleshoot this issue please open a browser and visit the same URL that you have in your connection profile. Do you see browser error informing about untrusted certificate? If yes then internal root CA and/or subCA certificate is not installed correctly.
Location where certificates should be installed depends on the browser and the operating system. For example Firefox by default does not use system store and has it's own one.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Pavan Gundu
Cisco Employee
Cisco Employee

‎09-05-2023 04:54 PM

You need to confirm if the SSL handshake is getting completed before we look into troubleshooting SAML.
Try taking capture on the outside interface and dump it into pcap and analyze in wireshark. Capture command for reference:-

capture capout interface outside match ip host <FW-Outside-IP> <Client-Public-IP>
sh cap capout dump

0 Helpful

Go to solution
MarkKruse5137
Level 1
Level 1

‎09-06-2023 05:45 AM

Hi Pavan,

Thanks for the info. I ran the capture, but I'm not sure what I'm looking for. From what I can see the handshake is complete. There is a line "TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Certificate Unknown)" that kind of sticks out.

0 Helpful

Go to solution
Pavan Gundu
Cisco Employee
Cisco Employee
In response to MarkKruse5137

‎09-06-2023 06:42 AM

What kind of certificate is this? A self signed one or is it signed by some well trusted CA?

0 Helpful

Go to solution
MarkKruse5137
Level 1
Level 1

‎09-06-2023 06:45 AM

No. The ASA certificate was issued by an internal CA and both the ASA and client trust this CA

0 Helpful

Go to solution
Pavan Gundu
Cisco Employee
Cisco Employee
In response to MarkKruse5137

‎09-06-2023 06:55 AM

Can you send those captures and also the DART bundle with timestamp if there is DART module installed on your secure client?

0 Helpful

Go to solution
MarkKruse5137
Level 1
Level 1

‎09-06-2023 07:00 AM

Where can I send it?

0 Helpful

Go to solution
msmoak
Level 1
Level 1

‎10-05-2023 06:51 AM

Mark, were you able to find a solution? I am having the exact same problem.

0 Helpful

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎10-05-2023 11:33 PM

Because SSO is in use, with multiple communication flows, including Azure sending assertion back to ASA, certificate on the public side must be signed by public/trusted CA. If Internal PKI is used, errors like these happens, regardless of ASA and client trust eachother (Azure doesn't trust your PKI).

Kind regards,

Milos

0 Helpful

Go to solution
gajownik
Cisco Employee
Cisco Employee

‎10-06-2023 10:21 AM

This error happens when the server certificate is not trusted by the PC. Untrusted server certificates are not supported with an Embedded Browser:

------------------------------------------------------------------------------------------------------
When using SAML with Secure Client, follow these guidelines:
- Untrusted server certificates are not allowed in the embedded browser.
------------------------------------------------------------------------------------------------------
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/vpn-remote-access.html#reference_pdf_cx3_psb

In order to troubleshoot this issue please open a browser and visit the same URL that you have in your connection profile. Do you see browser error informing about untrusted certificate? If yes then internal root CA and/or subCA certificate is not installed correctly.
Location where certificates should be installed depends on the browser and the operating system. For example Firefox by default does not use system store and has it's own one.

0 Helpful
Customers Also Viewed These Support Documents