10-10-2022 06:56 AM
Hello Community,
When i try to connect with Anyconnect Start Before Logon i get the error "Anyconnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network." The firewall is Firepower 1010 and i use the preinstalled certificates for the RA VPN
If i logon to windows i don't have any problem the VPN is working. I need the SBL because i want all the remote users to be able to login to their computer only if they authenticate with the Active directory first.
Ioannis Gerokostas
10-10-2022 08:42 AM
Where did you import the firewall cert on the client? machine or user store? I think the issue here could be related to not trust the cert being presented by the firewall. Before the users log into their machines, the users certificate store wouldn't be accessible, hence if you imported the firewall cert into the user certificates store that cert won't be trusted. If that is the case, try please to import the firewall cert into the machine store and see if that fixes the issue.
10-11-2022 12:34 AM
Hello Aref
Thank you for your reply, i didn't import any certificate, i just create the vpn profile on the Firepower and install the Anyconnect on the client. for authentication i use active directory. i upload the configuration of the ravpn profile.
i check the certificate console on the client both users and computer and i couldn't find any certificate related to Cisco
10-11-2022 03:39 AM
You welcome. I think you need to import the firewall certificate into Windows machine trusted store. To do that:
- Click on Windows icon bottom left and type cert
- Open "Manage computer certificates" tool
- Go to "Trusted Root Certificate Authorities > Certificates" and import the cert in there.
10-11-2022 05:39 AM
Hello Alef
Which certificate i have to import the DefaultInternalCertificate? if yes first i have to export the certificate from the firewall. I don't know how to do this i google export firepower certificate but i don't find nothing.
10-11-2022 05:56 AM
yes, the firewall certificate that should be imported. I think you can export it from the firewall by going to Objects > Certificates, if not you can go into the firewall CLI and issue the command "show crypto ca certificates" and then copy the cert and paste it into a notepad file.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide