Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
54151
Views
5
Helpful
8
Replies

Certificate Validation Failure when trying to connect to Cisco AnyConnect VPN

williahk
Level 1
Level 1

‎06-30-2020 07:49 PM

Hi, 

My company uses the Cisco AnyConnect VPN which needs to be connected for me to access most of our internal systems. However, today it stopped working completely and gives me the error message "Certificate Validation Failure."

 

I'm on Mac OS Catalina. I think this has something to do with the "keychain access" thing. Last night I was having issues downloading and installing something completely unrelated...it was asking me for my keychain password which I've never set or at least don't know what it is. So I was attempting to find out how where that's located and if I can reset it. My digging around may have broken something since it seems "keychains" and "certifications" are related. I don't know for sure but I think this is relevant to share because the VPN stopped working this morning right after trying to install that other app. 

 

My company has our own App store. I tried uninstalling the anyconnect app in there, then re-installing. That didn't work. Reading some of these discussion posts and googling the error, everything is very technical and geared toward developers or enterprise users it seems. I'm non-technical working in a line of business, just using this VPN on my laptop for my individual remote access to our systems. 

 

Please any help would be so appreciated! I can't get anything done until I fix this. Our tech support is so difficult to get in touch with especially during this time, and I'm really unsure if this is a Mac issue, Cisco issue, my company issue...all of which have different hotlines to call. Having spent all day doing that I got just about nowhere. Thank you

1 person had this problem
0 Helpful
8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-01-2020 01:50 AM

From what you describe, there is a 90% + chance that the problem is local to your computer.

Try browsing to the VPN address using Safari and see if your browser also gives a warning about the certificate. Both remote access SSL VPN and the portal for the service (as seen in the browser) present the same certificate to users.

0 Helpful

williahk
Level 1
Level 1
In response to Marvin Rhoads

‎07-03-2020 01:32 PM

Hi Marvin, how do I find the "VPN address" to type it into Safari? 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to williahk

‎07-03-2020 07:41 PM

By default the address is in the AnyConnect client GUI. If you organization has overriden that default to put something else in the list then the actual location is still stored in the profile. On MacOS, the profile is stored in /opt/cisco/anyconnect/profile. There will be an xml file there with a section like this:

<ServerList>
		<HostEntry>
			<HostName>(user-friendly name)</HostName>
			<HostAddress>(actual server FQDN or address)</HostAddress>
		</HostEntry>
	</ServerList>

 

williahk
Level 1
Level 1
In response to Marvin Rhoads

‎07-13-2020 07:12 PM

Hi Marvin,

 

I managed to find the address (thank you for your instructions). When putting it into safari it loads for a while and then ultimately fails...but it doesn't give a reason. See the 2 screenshots. 

 

I tried with Google and Firefox but those browsers failed on "java detection."

 

Screen Shot 2020-07-13 at 7.06.13 PM.pngScreen Shot 2020-07-13 at 7.08.06 PM.png

Any thoughts on why it's failing in safari? I changed the settings to allow popups and trust that site. Thank you

Preview file
51 KB
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to williahk

‎07-13-2020 09:36 PM

We expect the Java download to fail on most systems - that method is out of date and was barely usable even when it was current.

What I was asking about was the site address itself in the browser's address bar - does the certificate show as OK there?

https://cheapsslsecurity.com/blog/how-to-view-ssl-certificate-information-in-safari/

It that shows OK then it is very likely an issue with your user keychain as you mentioned earlier. The keychain is used at least one and possibly two ways in OS X when connecting to an SSL VPN:

1. For sure it checks the server certificate to make sure it is valid (not expired and signed by a trusted Certificate Authority or CA). If it's not accepted as valid by your system, that would show up in Safari address bar.

2. Optionally your setup might also be using user or machine certificates for authentication. That is a bit harder to know from what you've described so far. When it was working did you have to enter your username and password or was the username pre-filled for you without option to change it?

0 Helpful

williahk
Level 1
Level 1
In response to Marvin Rhoads

‎07-13-2020 11:23 PM - edited ‎07-13-2020 11:32 PM

I see..I clicked on the lock and believe it is "trusted" based on what I see

 

0 Helpful

williahk
Level 1
Level 1
In response to williahk

‎07-13-2020 11:27 PM - edited ‎07-13-2020 11:33 PM

The user name and password was always filled for me..I may have entered it originally. But day to day I would just click "connect" and it would connect without issue. Also, yes the GUI is different for my company

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to williahk

‎07-14-2020 03:14 AM

So it appears the second option is what they were doing - using your local certificate.

Unfortunately it will have to be fixed by their tech support to recover you from that situation.

0 Helpful
Customers Also Viewed These Support Documents