Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
32474
Views
0
Helpful
6
Replies

Anyconnect w Windows 7 certificate error

abeaton
Level 1
Level 1

‎08-20-2010 11:41 AM - edited ‎02-21-2020 04:48 PM

Ok so here's the scoop , I have a VPN setup on out ASA5510 , authentication is happening via local user database and local certificate authority. Everything works as it should on a windows XP system , install the certificate , launch Anyconnect , the VPN connects just fine.

On a windows 7 Pro installation , I can launch the VPN via web browser and connect to the VPN just fine. When I try to connect the VPN directly from Anyconnect software via the start menu I get a certificate validation Failure error .Have tried reimporting the certificate, regenerating etc... the cert is in the Certificate store .  I upgraded to Anyconnect 2.4 and still get the same issue, Anyone run into this problem ?

Labels:
0 Helpful
6 Replies 6

Asim Malik
Level 1
Level 1

‎08-20-2010 02:06 PM

Can you provide the anyconnect event logs and the following debugs from ASA

debug webvpn 128

deb web svc 128

deb crypto ca 255

0 Helpful

robert-olsson
Level 1
Level 1
In response to Asim Malik

‎09-29-2010 08:07 AM

Hi,

Same error for us.

The Certificate used on the ASA outside interface is from our own CA-server.

XP clients works just fine connecting with Anyconnect.

But when using Windows 7 we direct get the error "Unable to process response from ..." and "Certificate validation failure".

Could it be that the Anyconnect client can't access the certstore correct on Windows 7 in certain circumstances?

Anyone recognise this?

Root cert for our domain and CA is in the certstore.

As a side note, the latest full IPSec client works great on Windows 7. This is also using computercerts from our CA.

The debug didn't give that much on the ASA.

Attaching some selected errors from the Anyconnect part of the eventviever.

(Company info x'ed out below)

------------------------------
Function: ConnectMgr::processIfcData
File: .\ConnectMgr.cpp
Line: 2239
Certificate authentication requested from gateway, no valid certs found in users cert store.

------------------------------

Function: ConnectMgr::setPromptAttributes
File: .\ConnectMgr.cpp
Line: 3032
Invoked Function: setPromptAttributes
Return Code: -33554423 (0xFE000009)
Description: GLOBAL_ERROR_UNEXPECTED
Error text:
Certificate Validation Failure

------------------------------

Function: ConnectMgr::getNextClientCert
File: .\ConnectMgr.cpp
Line: 3605
Invoked Function: ConnectMgr :: getNextClientCert
Return Code: 0 (0x00000000)
Description: Subject Name: CN=MININT-0BJVK6E.xx.xxx.net
Common Name : MININT-0BJVK6E.xx.xxx.net
Domain      :
Company     :
Department  :
Issuer Name : DC=net, DC=xxx, DC=xxx, CN=xxx

------------------------------

Function: ConnectMgr::processIfcData
File: .\ConnectMgr.cpp
Line: 1703
Invoked Function: ConnectMgr::processIfcData
Return Code: 12044 (0x00002F0C)
Description: A certificate is required to complete client authentication

Connection attempt failed.  Please try again.

All help appriceated.

Regards

//Robert

0 Helpful

jdismukes
Level 1
Level 1
In response to Asim Malik

‎09-29-2010 01:57 PM

I have a client that is seeing the same exact issue.  There are two CA's a Root and a

Sub CA.  If we manually request a certificate via the Certificate Snap-in we

are able to login fine.  Yet the Machine certificate issued via group policy will not work.

The main difference we see when using the AD generated Certificate we get the following error in the event log.

Function: ConnectIfc::send
File: .\ConnectIfc.cpp
Line: 897
Invoked Function: ConnectIfc::connect
Return Code: 0 (0x00000000)
Description: Auth Cookie acquired

Thanks for the help out


0 Helpful

kevinm2264
Level 1
Level 1

‎01-27-2012 05:18 AM

I struggled with this issue and it only occurred on Windows 7 machines. The solution for myself was a one line command to allow the certificates to be used on the outside interface.

ssl certificate-authentication interface port 443

Just in case anyone is still having issues with the Certificate Validation error.

0 Helpful

robert-olsson
Level 1
Level 1
In response to kevinm2264

‎01-27-2012 05:51 AM

I found the issue in our environment to be that Anyconnect could not access the computer Cert in the cert store for Windows 7.

After also generating usercert for people the issue was resolved.

We have All in the .XML file but that didn't help.

Using usercert was actually better for us the way we decided to proceed in the switch from IPSEC VPN client to Anyconnect.

Hope this helps someone out there.

0 Helpful

kevinm2264
Level 1
Level 1
In response to robert-olsson

‎01-27-2012 06:05 AM

We were already using User Certs and would get the error "Certificate Validation Failure" from the Cisco Anyconnect client. If we launched the sesssion from the SSL page, the install would complete and anyconnect would connect without an issue. On the second attempt, launching the Anyconnect client, we would get the "Certificate Validation Failure" and because only clients with valid certs can connect, the session was terminated.

The solution for the Windows 7 clients was to apply the command

ssl certificate-authentication interface port 443"

0 Helpful
Customers Also Viewed These Support Documents