Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1187
Views
0
Helpful
5
Replies

Anyconnect Start Before Logon error

Ioannis Gerokostas
Level 1
Level 1

‎10-10-2022 06:56 AM

Hello Community,

When i try to connect with Anyconnect Start Before Logon i get the error "Anyconnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network." The firewall is Firepower 1010 and i use the preinstalled certificates for the RA VPN

If i logon to windows i don't have any problem the VPN is working. I need the SBL because i want all the remote users to be able to login to their computer only if they authenticate with the Active directory first.

Ioannis Gerokostas

Labels:
0 Helpful
5 Replies 5

Aref Alsouqi
VIP
VIP

‎10-10-2022 08:42 AM

Where did you import the firewall cert on the client? machine or user store? I think the issue here could be related to not trust the cert being presented by the firewall. Before the users log into their machines, the users certificate store wouldn't be accessible, hence if you imported the firewall cert into the user certificates store that cert won't be trusted. If that is the case, try please to import the firewall cert into the machine store and see if that fixes the issue.

0 Helpful

Ioannis Gerokostas
Level 1
Level 1

‎10-11-2022 12:34 AM

Hello Aref

Thank you for your reply, i didn't import any certificate, i just create the vpn profile on the Firepower and install the Anyconnect on the client. for authentication i use active directory. i upload the configuration of the ravpn profile.

i check the certificate console on the client both users and computer and i couldn't find any certificate related to Cisco

Preview file
50 KB
Preview file
63 KB
0 Helpful

Aref Alsouqi
VIP
VIP

‎10-11-2022 03:39 AM

You welcome. I think you need to import the firewall certificate into Windows machine trusted store. To do that:

- Click on Windows icon bottom left and type cert

- Open "Manage computer certificates" tool

- Go to "Trusted Root Certificate Authorities > Certificates" and import the cert in there.

0 Helpful

Ioannis Gerokostas
Level 1
Level 1

‎10-11-2022 05:39 AM

Hello Alef

Which certificate i have to import the DefaultInternalCertificate? if yes first i have to export the certificate from the firewall. I don't know how to do this i google export firepower certificate but i don't find nothing.

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-11-2022 05:56 AM

yes, the firewall certificate that should be imported. I think you can export it from the firewall by going to Objects > Certificates, if not you can go into the firewall CLI and issue the command "show crypto ca certificates" and then copy the cert and paste it into a notepad file.

0 Helpful
Customers Also Viewed These Support Documents