Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
11968
Views
0
Helpful
1
Replies

Cisco Anyconnect Certificate Error on each login

Justin Schwilling
Level 1
Level 1

‎01-18-2013 02:41 PM

I have a client with a Cisco ASA 5505 running ASA Version 8.4(2) ASDM version 6.4(5)106

We are using an SSL VPN on this firewall for a few of the remote clients in the office to dial back in.  We recently upgraded their Anyconnect Secure Mobility client image on the firewall and on the client laptops to version 3.1.02026.  On the client laptops we have configured the Anyconnect client to have the "Block connections to untrusted servers" check box disabled as in this example screenshot.

Settings.JPG

Each time the users conenct to the VPN remotlely they are prompted with the "Security Warning: Untrusted VPN Certificate" error screen where they can chose to Connect Anyway or Cancel the connection.  What is missing however is the check box to "Always trust this VPN server and import the certificate" so the users get this message each time they connect to their work VPN.

In previous builds of the Anyconnect Secure Mobility Client 3.1 this option was there. I have 3.1.00495 and I have the option to always trust the server.  Was it removed?

Examples:

My client version is 3.1.00495 and i have the option

error.JPG

Clients with 3.1.02026 have this option missing:

Example3.jpg

4 people had this problem
Labels:
0 Helpful
1 Reply 1

tperrier
Level 4
Level 4

‎02-25-2013 07:11 AM

A customer had the problem, and I found the reason in the AnyConnect 3.1 release notes.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp1108457

"Client certificates must contain an EKU field. If  EKU is missing, then when a user connects to an ASA that requires a  client certificate, the checkbox to trust and import the certificate  will not display in the AnyConnect dialog for the user to override the  error and still connect."

0 Helpful
Top