cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
614
Views
0
Helpful
9
Replies

Can't connect anyconnect after ASA firmware Upgrade

aungyekhant
Level 1
Level 1

We upgrade our ASA(Active / Standby) firewall from 9.2(2)4 to 9.12.4 Interim last night. Upgrade Activity is fine. But, after upgrade to 9.12.4, our anyconnect user can't connect. And we got this error message - 

 

Security Warning: Untrusted Server Certificate!

Cannot connect to this gateway. Please choose another gateway and try again.

connection attempt has failed.

If you want to check the error message box, please kindly check the attached photo. 

How to solve this issues? Please kindly guide me and suggest me. This is so important for me. 

issues 1.PNGissues 2.PNGissues 3.PNG

9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

is this for all users - as suggested check the certificates?

May be worth checking ASA side logs.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Dear balaji.bandi,

all user can't connect anyconnect. how to check ASA side logs. i enable "debug ssl 255" command but result is nothing. 

Certificate check on ASA. 

certificate check.PNG

Could you please guide me to solve this issue?

Best Regards

Aung Ye

@aungyekhant try using "debug webvpn".

Is that trustpoint actually in use? From the CLI run "show run | inc ssl" , look for "ssl trust-point <trustpoint name> <interface name> to determine if that certificate is in use.


Dear @Rob Ingram ,

i configured the certificate and trust point. user credential prompt and then i got this error message. please suggest me.

login fail.PNGnew error message.PNGweb vpn is working.PNG

best regards

aung ye khant

@aungyekhant so does that mean it wasn't using the correct trustpoint (certificate) and you had to change it?

Has the ASA lost a load of the configuration?

It sounds like you need to define "ssl-client" as a vpn-tunnel-protocol. Provide your configuration for review.

 

hello @Rob Ingram ,

which command that i use to take ssl vpn configuration.

please tell me, i want to provide the configuration for review.

Bets Regards
Aung Ye

@aungyekhant all of the configuration, if that's not possible then provide the following

show running-config group-policy
show running-config tunnel-group
show running-config webvpn

Dear @Rob Ingram ,

i would like to provide the following information.

ssl vpn check 1.PNGssl vpn check 2.PNGssl vpn check 3.PNG

if you need any other information, pls let me know, i will provide you.

Best Regards
Aung Ye

@aungyekhant so you are using the tunnel-group "VPN-Client-Tunnel01"? That tunnel has IKEv1 and SSL-client enabled, are you using an IPSec VPN, if so you'd need to permit IKEv2 as a vpn-tunnel-protocol.

If that doesn't work, turn on debugs on the ASA, connect and provide the output. Also run DART from the computer and provide the output for review.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: