Cannot confirm it is connected to secure gateway

german.sanchez@unit4.com · ‎10-01-2017

I've just upgraded to Mac OS High Sierra, and I'm starting to receive the error:

AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network.

I'm using version 4.5.02033

redbob_six · ‎10-09-2017

updated the certificate / Trustpoint on our ASA 5510 with SHA256 pkcs 'bag' and this solved the issue.

This was helpful:
https://supportforums.cisco.com/t5/security-documents/install-a-pkcs-ssl-certificate-in-asa-using-cli/ta-p/3163832

Using apple version 4.5.02033, but this works with multiple older versions of AnyConnect

nilorac · ‎12-01-2017

Could you please explain the steps (in more detail) which need to be performed to solve the problem? How do I update a trustpoint on ASA5510 with a MAC?

redbob_six · ‎12-05-2017

Hi Nilorac,

The notes on the link I prevously posted are helpful, I just followed those. When you say from a MAC, to be clear I also used a MAC but used CLI and NOT ASDM. There are possibly multiple ways to achieve this but this is what I did.

Create a base 64 encoded pkcs12 certificate file.

On the ASA5510:
Confirm what trust point certificates already exist on the device:
MAIN_ASA(config)# show crypto ca trustpoints
Expect to see something like this, there could be more than one:
Trustpoint {your cert name EG]:bob.net
    Subject Name:
    cn=GlobalSign Organization Validation CA - G2
    o=GlobalSign nv-sa
    c=BE
          Serial Number: [unique certificate number here]
    Certificate configured.

As a backup export the current certificate(s) out to a pkcs12 file format:
MAIN_ASA(config)# crypto ca export bob.net pkcs12 {create a long password}
copy the output to a file and also save the password with it

Import a new certificate:
MAIN_ASA(config)# crypto ca import bob.net-sha256 pkcs12 printer

Paste the contents of the base 64 encoded pkcs12 file you have already created.  Ensure the contents have a BEGIN and an a END statement
THEN
After pasting, on a new line End with the word "quit"
See below
-----BEGIN PKCS12-----

 MIIGDj****************************************************wFADCB

 .... ....

 MIIGDj****************************************************wFADCB 

-----END PKCS12-----

 quit
INFO: Import PKCS12 operation completed successfully

Prove the new trust point cert has been imported corrected:
MAIN_ASA(config)# show crypto ca trustpoints

Expecting to see both:

Trustpoint bob.net
    Subject Name:
    cn=GlobalSign Organization Validation CA - G2
    o=GlobalSign nv-sa
    c=BE
          Serial Number: [unique certificate number here]
    Certificate configured.

Trustpoint bob.net-sha256:
    Subject Name:
    cn=GlobalSign Organization Validation CA - SHA256 - G2
    o=GlobalSign nv-sa
    c=BE
          Serial Number: [unique certificate number here]
    Certificate configured.

I then disabled requests pointing at the OLD certificate as we no longer needed this
MAIN_ASA(config)# no ssl trust-point bob.net

Point SSL requests at the new certificate
MAIN_ASA(config)# ssl trust-point bob.net-sha256

Confirm this has worked:
show run | i trust-point

NB without knowing what setup, version, configuration you have running I have no control over the inpact of reapeating the above will have on your device, you do this at your own risk.

HolgerHelmut · ‎03-30-2018

Anyconnect 4.5 stopped working every since I upgraded to high sierra 10.13.4 today. It give me the "

AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network." message.

It worked before the upgrade and works on a laptop that has sierra 10.13.3 on it. Any ideas?

redflametech · ‎05-02-2018

I have the same issue, I wish I hadn't updated now, because I can't find an easy solution. Importing a certificate would easy enough with the instructions above, except the part where it says create a new base64 certficate. I think it would be easier just to buy one from namecheap, unless the OP can show where he created the new cert for us maybe?