Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
213281
Views
10
Helpful
25
Replies

Cisco AnyConnect 3.0.08057 certificate validation failure

lastina38
Level 1
Level 1

‎06-22-2012 06:03 AM - edited ‎02-21-2020 06:09 PM

Hi,

In order to let you know :

Does someone know if Cisco AnyConnect v3.0.08057 have a bug with certificate authentication ?

We have an ASA5520, IOS 8.4.3, and several tunnel-groups available. One of them use a certificate-based

authentication.

We are using Cisco AnyConnect v3.0.07059 without any problems with the tunnel-group using

certificate-based authentication.

However with the latest version of Cisco AnyConnect (v3.0.08057) it does'nt work. It seems AnyConnect

does'nt find a valid certificate for authentication. That's quite strange tbh.

And as I am under Windows 7, it's not possible to currently know where AnyConnect is really looking for certificates.

Did someone encounter a similar problem ?

Thanks.

Marc

5 people had this problem
Labels:
0 Helpful
25 Replies 25

jintao99
Level 1
Level 1
In response to lchiang05

‎08-02-2012 12:47 PM

Did Cisco say when the next release will be out? And if it will address the strict certificate requirement issue?

0 Helpful

lchiang05
Level 1
Level 1
In response to jintao99

‎08-02-2012 01:29 PM

No. Cisco did not say anything.

0 Helpful

Byron Jones
Level 1
Level 1
In response to lchiang05

‎08-03-2012 05:29 AM

When you first go through the web portal and install anyconnect did it download the correct client profile xml?  If it hasn't done this this then obviously the client won't be configured correctly in future.

This is the section from our xml, where we match the Company Name

       

           

               

                    O

                    Company Name

               

               

       

Are you checking the logs on your client as these are quite chatty, but do help you debug the login process ..

This is the output from the system.log file on my mac.

Aug  3 13:05:43 Odeon.local acvpnui[547]: Message type information sent to the user: Ready to connect.

Aug  3 13:05:43 Odeon.local acvpnagent[62]: getting ipv4 route table.

Aug  3 13:05:44 Odeon.local acvpnui[547]: An SSL VPN connection to yourserver.yourdomain.com has been requested by the user.

Aug  3 13:05:44 Odeon.local acvpnagent[62]: Function: ResolveHostname File: Utility/HostLocator.cpp Line: 560 Resolved yourserver.yourdomain.com to 10.10.10.10

Aug  3 13:05:44 Odeon.local acvpnagent[62]: Writing to hosts file:  10.10.10.10    yourserver.yourdomain.com

Aug  3 13:05:44 Odeon.local acvpnui[547]: Message type information sent to the user: Contacting yourserver.yourdomain.com.

Aug  3 13:05:44 Odeon.local Cisco AnyConnect Secure Mobility Client[547]: State: Disconnected

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: resetCertRegistration File: ConnectMgr.cpp Line: 5317 Invoked Function: ConnectMgr :: resetCertRegistration Return Code: 0 (0x00000000) Description:  Match Key: Extended Match Key: Custom Match Key: Distinguished Name Matching:     Wildcard : Disabled    Operator : EqualMatchCase : Enabled     Name : O    Pattern : Company Name 

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: enumerateCert File: Certificates/FileCertStore.cpp Line: 157 Invoked Function: enumerateCert Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND The /Users/******/.cisco/certificates/client/ directory was not found.

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: Enumerate File: Certificates/FileCertStore.cpp Line: 118 Invoked Function: Enumerate Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: enumerateCert File: Certificates/FileCertStore.cpp Line: 157 Invoked Function: enumerateCert Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND The /opt/.cisco/certificates/client/ directory was not found.

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: Enumerate File: Certificates/FileCertStore.cpp Line: 118 Invoked Function: Enumerate Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: getCertList File: ApiCert.cpp Line: 259 Number of certificates found: 1

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: setConnectionData File: ConnectMgr.cpp Line: 1537 Certificate retrieved from preferences: Subject Name: C=GB, O=Company Name, CN=Systems, CN=byronjones Issuer Name : CN=yourserver.yourdomain.com Store : Mac Keychain

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: ResolveHostname File: Utility/HostLocator.cpp Line: 560 Resolved yourserver.yourdomain.com to 10.10.10.10

Aug  3 13:05:44 Odeon.local acvpnui[547]: Initiating VPN connection to the secure gateway https://yourserver.yourdomain.com

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: getUserName File: CTransportCurlStatic.cpp Line: 1971 PasswordEntry username is ******

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5925 (0xFFFFE8DB) Description: unknown

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: PeerCertVerifyCB File: CTransportCurlStatic.cpp Line: 867 Return success from VerifyServerCertificate

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: getUserName File: CTransportCurlStatic.cpp Line: 1971 PasswordEntry username is ******

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5925 (0xFFFFE8DB) Description: unknown

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:44 Odeon.local acvpnui[547]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: handleRedirects File: ConnectIfc.cpp Line: 773 Redirecting to: https://yourserver.yourdomain.com/+webvpn+/index.html

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: getUserName File: CTransportCurlStatic.cpp Line: 1971 PasswordEntry username is ******

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5925 (0xFFFFE8DB) Description: unknown

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: PeerCertVerifyCB File: CTransportCurlStatic.cpp Line: 867 Return success from VerifyServerCertificate

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: getUserName File: CTransportCurlStatic.cpp Line: 1971 PasswordEntry username is ******

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5925 (0xFFFFE8DB) Description: unknown

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:45 Odeon.local acvpnui[547]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:47 Odeon.local acvpnui[547]: Function: setPromptAttributes File: ConnectMgr.cpp Line: 3622 The certificate authority is enabled on the secure gateway.

Aug  3 13:05:47 Odeon.local acvpnui[547]: Function: getPreference File: PreferenceInfoBase.cpp Line: 267 Invoked Function: getPreference Return Code: 0 (0x00000000) Description: Invalid preference 43

Aug  3 13:05:47 --- last message repeated 2 times ---

Aug  3 13:05:47 Odeon.local acvpnui[547]: Function: isSWEnabled File: SDIMgr.cpp Line: 1018 Invoked Function: PreferenceMgr::getPreference Return Code: -30277621 (0xFE32000B) Description: PREFERENCEMGR_ERROR_PREFERENCE_NOT_FOUND SafeWordSofTokenIntegration

Aug  3 13:05:47 Odeon.local acvpnui[547]: Function: ProcessPromptData File: SDIMgr.cpp Line: 327 Authentication is not token based (OTP).

Aug  3 13:05:47 Odeon.local acvpnui[547]: Message type prompt sent to the user: Please enter your username and password.

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: userResponse File: ConnectMgr.cpp Line: 1051 Processing user response.

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: getUserName File: CTransportCurlStatic.cpp Line: 1971 PasswordEntry username is ******

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5925 (0xFFFFE8DB) Description: unknown

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: PeerCertVerifyCB File: CTransportCurlStatic.cpp Line: 867 Return success from VerifyServerCertificate

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: getUserName File: CTransportCurlStatic.cpp Line: 1971 PasswordEntry username is ******

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5925 (0xFFFFE8DB) Description: unknown

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:50 Odeon.local acvpnui[547]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:52 Odeon.local acvpnui[547]: Function: send File: ConnectIfc.cpp Line: 1024 Auth Cookie acquired

Aug  3 13:05:52 Odeon.local acvpnui[547]: Function: send File: ConnectIfc.cpp Line: 1032 Config Cookie acquired

Aug  3 13:05:52 Odeon.local acvpnui[547]: Function: processIfcData File: ConnectMgr.cpp Line: 2524 Authentication succeeded

Aug  3 13:05:52 Odeon.local acvpnui[547]: VPN state: Connecting Network state: Network Accessible Network control state: Network Access: Available Network type: Undefined

Aug  3 13:05:52 Odeon.local acvpnui[547]: Message type information sent to the user: Establishing VPN session...

Aug  3 13:05:52 Odeon.local acvpnui[547]: The profile configured on the secure gateway is: working.xml

Aug  3 13:05:52 Odeon.local acvpnui[547]: Function: getUpdateFileContent File: ConnectIfc.cpp Line: 1337 Update file located

Aug  3 13:05:52 Odeon.local acvpnui[547]: Function: launchCachedDownloader File: ConnectMgr.cpp Line: 6392 Launching Cached Downloader: path: '/opt/cisco/anyconnect/bin/vpndownloader.app/Contents/MacOS/vpndownloader' cmd:  '"-ipc    gc    -cd"'

Aug  3 13:05:52 Odeon.local Cisco AnyConnect Secure Mobility Client[547]: State: Connecting

Aug  3 13:05:52 Odeon.local acvpnui[547]: Function: launchCachedDownloader File: ConnectMgr.cpp Line: 6412 Invoked Function: ConnectMgr :: launchCachedDownloader Return Code: 0 (0x00000000) Description: Successfully launched the cached downloader

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Cisco AnyConnect Secure Mobility Client Downloader started, version 3.0.08057

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Function: setAttribute File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../../Api/HostInitSettings.cpp Line: 349 Invoked Function: setAttribute Return Code: -33554423 (0xFE000009) Description: GLOBAL_ERROR_UNEXPECTED Invalid preference ID or not handling attributes for element UseStartBeforeLogon

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Function: setAttribute File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../../Api/HostInitSettings.cpp Line: 349 Invoked Function: setAttribute Return Code: -33554423 (0xFE000009) Description: GLOBAL_ERROR_UNEXPECTED Invalid preference ID or not handling attributes for element AutomaticCertSelection

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Function: setAttribute File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../../Api/HostInitSettings.cpp Line: 349 Invoked Function: setAttribute Return Code: -33554423 (0xFE000009) Description: GLOBAL_ERROR_UNEXPECTED Invalid preference ID or not handling attributes for element ClearSmartcardPin

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Function: setAttribute File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../../Api/HostInitSettings.cpp Line: 349 Invoked Function: setAttribute Return Code: -33554423 (0xFE000009) Description: GLOBAL_ERROR_UNEXPECTED Invalid preference ID or not handling attributes for element RSASecurIDIntegration

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Function: loadProfiles File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../../Api/ProfileMgr.cpp Line: 148 Loaded profiles: /opt/cisco/anyconnect/profile/working.xml

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Current Preference Settings: ServiceDisable: false CertificateStoreOverride: false CertificateStore: User ShowPreConnectMessage: false AutoConnectOnStart: false MinimizeOnConnect: true LocalLanAccess: true AutoReconnect: true AutoReconnectBehavior: DisconnectOnSuspend AutoUpdate: true ProxySettings: Native AllowLocalProxyConnections: true PPPExclusion: Disable PPPExclusionServerIP:  AutomaticVPNPolicy: false TrustedNetworkPolicy: Disconnect UntrustedNetworkPolicy: Connect TrustedDNSDomains:  TrustedDNSServers:  AlwaysOn: false ConnectFailurePolicy: Closed AllowCaptivePortalRemediation: false CaptivePortalRemediationTimeout: 5 ApplyLastVPNLocalResourceRules: false AllowVPNDisconnect: true EnableScripting: false TerminateScriptOnNextEvent: false EnableAutomaticServerSelection: false AutoServerSelectionImprovement: 20 AutoServerSelectionSuspendTime: 4 AuthenticationTimeout: 12

Aug  3 13:05:52 Odeon.local acvpnui[547]: Function: processDnldrArgsRequest File: ConnectMgr.cpp Line: 11881 Determine proxy: false

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Function: setHostnameAndPort File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../DownloaderArgs.cpp Line: 428 Defaulting to port 443

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Connecting to yourserver.yourdomain.com.

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Authorized Server List is not defined in local policy and the default administrative domain incisivemedia.com is specified in global preferences. Treating yourserver.yourdomain.com as authorized.

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Software updates from authorized gateway are allowed. Any configured local policy software and VPN profile locks do not apply.

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Checking for profile updates...

Aug  3 13:05:52 Odeon.local acvpnui[547]: Message type information sent to the user: Checking for profile updates...

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Skipping update of working.xml because an up-to-date version is already installed.

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Loading preferences for the current user from profile working.xml

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Current Preference Settings: ServiceDisable: false CertificateStoreOverride: false CertificateStore: User ShowPreConnectMessage: false AutoConnectOnStart: false MinimizeOnConnect: true LocalLanAccess: true AutoReconnect: true AutoReconnectBehavior: DisconnectOnSuspend AutoUpdate: true ProxySettings: Native AllowLocalProxyConnections: true PPPExclusion: Disable PPPExclusionServerIP:  AutomaticVPNPolicy: false TrustedNetworkPolicy: Disconnect UntrustedNetworkPolicy: Connect TrustedDNSDomains:  TrustedDNSServers:  AlwaysOn: false ConnectFailurePolicy: Closed AllowCaptivePortalRemediation: false CaptivePortalRemediationTimeout: 5 ApplyLastVPNLocalResourceRules: false AllowVPNDisconnect: true EnableScripting: false TerminateScriptOnNextEvent: false EnableAutomaticServerSelection: false AutoServerSelectionImprovement: 20 AutoServerSelectionSuspendTime: 4 AuthenticationTimeout: 12

Aug  3 13:05:52 Odeon.local acvpndownloader[10772]: Checking for product updates...

Aug  3 13:05:53 Odeon.local acvpndownloader[10772]: Function: InitNSS File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../../CommonCrypt/Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5977 (0xFFFFE8A7) Description: unknown

Aug  3 13:05:53 Odeon.local acvpndownloader[10772]: Function: CNSSCertStore File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../../CommonCrypt/Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpndownloader[10772]: Function: addNSSStore File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../../CommonCrypt/Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpndownloader[10772]: Function: OpenStores File: /tmp/build/thehoff/DaVinci_MR80.125832499486/DaVinci_MR8/vpn/Downloader/Darwin/../../CommonCrypt/Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpndownloader[10772]: Skipping update of AnyConnect Secure Mobility Client 3.0.08057 because an up-to-date version is already installed.

Aug  3 13:05:53 Odeon.local acvpndownloader[10772]: Checking for customization updates...

Aug  3 13:05:53 Odeon.local acvpndownloader[10772]: Performing any required updates...

Aug  3 13:05:53 Odeon.local acvpnagent[62]: Tunnel initiated by GUI Client.

Aug  3 13:05:53 Odeon.local acvpnagent[62]: Secure Gateway Parameters:  IP Address: 10.10.10.10  Port: 443  URL: "https://yourserver.yourdomain.com:443/CACHE/stc/1/index.html"  Auth method: SSL  Proxy Server: ""

Aug  3 13:05:53 Odeon.local acvpnagent[62]: Initiating Cisco AnyConnect Secure Mobility Client connection, version 3.0.08057

Aug  3 13:05:53 Odeon.local acvpnagent[62]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5925 (0xFFFFE8DB) Description: unknown

Aug  3 13:05:53 Odeon.local acvpnagent[62]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpnagent[62]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpnagent[62]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpnagent[62]: The Primary SSL connection to the secure gateway is being established.

Aug  3 13:05:53 Odeon kernel[0]: utun_ctl_connect: creating interface utun0

Aug  3 13:05:53 Odeon.local acvpnagent[62]: Function: postSocketConnectProcessing File: SslTunnelTransport.cpp Line: 1314 Opened SSL socket from 192.168.1.10 to 10.10.10.10

Aug  3 13:05:53 Odeon.local acvpnagent[10773]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5977 (0xFFFFE8A7) Description: unknown

Aug  3 13:05:53 Odeon.local acvpnagent[10773]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpnagent[10773]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpnagent[10773]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpnagent[10773]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 394 Invoked Function: NSS_InitReadWrite Return Code: -5925 (0xFFFFE8DB) Description: unknown

Aug  3 13:05:53 Odeon.local acvpnagent[10773]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpnagent[10773]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 1075 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpnagent[10773]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391733 (0xFE21000B) Description: CERTSTORE_ERROR_PROVIDER_ERROR

Aug  3 13:05:53 Odeon.local acvpnui[547]: Message type information sent to the user: Checking for product updates...

Aug  3 13:05:53 Odeon.local acvpnui[547]: Message type information sent to the user: Downloading  - 100%

Aug  3 13:05:53 Odeon.local acvpnui[547]: Message type information sent to the user: Checking for customization updates...

Aug  3 13:05:53 Odeon.local acvpnui[547]: Message type information sent to the user: Performing any required updates...

Aug  3 13:05:53 Odeon.local acvpnui[547]: VPN state: Connecting Network state: Network Accessible Network control state: Network Access: Available Network type: Undefined

Aug  3 13:05:53 Odeon.local acvpnui[547]: Message type information sent to the user: Establishing VPN session...

Aug  3 13:05:53 Odeon.local acvpnui[547]: Message type information sent to the user: Establishing VPN - Initiating connection...

Aug  3 13:05:53 Odeon.local acvpnagent[62]: A SSL connection has been established using cipher RC4-SHA

Note the lines I've highlighted, you can see from there what certificate matching I'm doing and whic certificate matched, also you can see that it's checking my client profile (working.xml) and checks to see if there's any updates from "authorized servers"

Important to note if you've beeen changing the names of your client profiles make sure you remove the old ones from your Profiles directory.

0 Helpful

David Cebula
Level 1
Level 1
In response to lchiang05

‎09-13-2012 11:24 AM

With AnyConnect version 3.1.495 it worked for me after updating the certificate matching in the profile. Selected Key Usage: Digitial_Sigature and EKU: ClientAuth. I also have a DN match configured. This got rid of the dread "Certificate Validation Failure" when the client tries to connect.

Cisco please add a "test" button to the Profile Editor.

0 Helpful

kjohnston
Level 1
Level 1

‎01-24-2013 09:55 AM

When you add self-signed cert to the client, I am assuming this only happens win7, the non-priv user does not have permission to the c:\programdata\microsoft\crypto\rsa\machinekeys\of the  cert.  I had to add Authenticated Users with READ permission to this file. Otherwise I had to run the Cisco ANYconnect client AS ADMINISTRATOR. Hope this helps, not real solution but this appears to be the problem at least for my company.  Using client 3.1.01065

Jason Lista
Level 1
Level 1
In response to kjohnston

‎02-26-2015 03:18 PM

This did not work for me using self-signed auto-generated computer certificates, with Windows Server 2012 R2 and Win 7 machines, but it was the only response anywhere that put me on the right track.  I spent weeks trying to get two factor authentication with AD Certificate Services and AD credentials with AnyConnect working until I finally figured out the solution, so I hope this helps someone out.

 

Run the MMC snap in as Administrator, select Certificates, then Machine Account, then Local Computer.

Right click on the auto-generated certificate in Personal and go to All Tasks -> Manage Private Keys

Give the user access to the private key.

AnyConnect will now find the certificate for that user without having to be run as Administrator.

Will Feener
Level 1
Level 1
In response to Jason Lista

‎06-03-2016 12:45 PM

Finally works!!! thank you Jason!  Although when the certificate renews.... I have the same problem as the permissions revert to default. 

0 Helpful

AshT
Level 1
Level 1
In response to Jason Lista

‎10-02-2017 05:50 AM

Could you please say the solution for Mac os x? I'm having issue with Anyconnect 3.x and 4.x client on mac os  x , keep says the error of "No valid certificates available for authentication" but there is no error on cisco anyconnect 2.5 on same mac machine. Do you any solution for this?

0 Helpful

kwesiarmah
Level 1
Level 1
In response to AshT

‎01-10-2018 06:37 PM - edited ‎01-10-2018 06:47 PM

When I got this Cisco certificate validation failure on VPN ( Cisco AnyConnect Secure Mobility Client version 3.1.04072)  I went into the control panal and removed it and re-stalled. voila..Working like camp.

0 Helpful

Richard Baker
Level 1
Level 1

‎05-16-2014 06:13 AM

I added this line to my config and my certificate error went away and I was able to connect just fine.

ssl trust-point ASDM_TrustPoint0 outside

Hope this helps,

Rich

0 Helpful

kwesiarmah
Level 1
Level 1

‎01-10-2018 06:40 PM

When I got this Cisco certificate validation failure on VPN ( Cisco AnyConnect Secure Mobility Client version 3.1.04072)  I went into the control panal and removed it and re-stalled. voila..Working like camp.

0 Helpful
Customers Also Viewed These Support Documents