Cisco anyconnect V 3.1.00495 Ubuntu

klauskraner · ‎08-28-2012

Hello,

we have a problem with the anyconnect Client on linux ubuntu. When we try to connect we get the message:

No valid certificates available for authentication

We did an upgrade from the old 2.5.x version - first the connection works, the upgrade works but then the connection closes and the don't get a connection anymore with the new version. Just the message "No valid certificates available for authentication".

We use Firefox as certstore on ubuntu, the certificate is imported into the browser store.

Any ideas?

Thx.

Klaus

Marcin Latosiewicz · ‎08-28-2012

Klaus,

32 or 64 bit Linux? Is the Firefox 64 bit ot 32 bit build?

M.

klauskraner · ‎08-28-2012

Hi,

it does not matter.

It seems that the Cisco packages are still in "development" status. The problem is, that the former packages have a security leak and the new ones are buggy.

Something I found yesterday:

http://www.codemarvels.com/2012/05/override-certificate-error-in-cisco-anyconnect-client-on-ubuntu-12-04-64-bit/

I now just have to change the package on the ASA to verify that I really can connect. I will inform the community.

Thx.

Klaus

klauskraner · ‎09-03-2012

Hi,

the client 3.1.00495 works with this solution on a 32Bit system.

The combination of 64bit client and ubuntu 12.04 64 bit does not work. Anybody an idea?

Kind Regards

Klaus

shikhsha · ‎09-03-2012

Hi Klaus,

Please let me know if you are using certificate based authentication or not. The newer versions of anyconnect require certain fields in the certificate. For eg the EKU field. For more reference please check the following:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp1043433

Also let me know if a trusted third party cert is binded to your outside interface or not.

You also mentioned that you were not facing this issue with older anyconnect client. Can you tell me the version of anyconnect client that was working fine?

Shikhar Sharma

CCIE Security # 29741

Cisco TAC - VPN Team

Marcin Latosiewicz · ‎09-03-2012

Klaus,

Unfortunately,

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCub29235

Marcin

klauskraner · ‎09-03-2012

Hello,

thank you for the bad news ;-)

Dou you know wheter there is a plan for fixing the bug? The older versions have a known security issue and the new one is buggy - that's not really great.

Did anybody try it with an official certificate - does it work then?

Thank you.

Kind regards

Klaus

shikhsha · ‎09-04-2012

Hi Klaus,

Which bug are you referring to? If you are talking about the support for linux 64 bit is concerned, then it is not a bug but an enhancement request which is filed. Dev are still working on it but currently we do not have any ETA.

Shikhar Sharma

CCIE Security # 29741

Cisco TAC - VPN Team

klauskraner · ‎09-04-2012

Hello,

I am a little bit confused - as 64bit already worked in former versions and now it's not working, in my opinion it's not really an enhancement. For us it is necessary that our VPN solution also works on 64bit clients as a lot of my colleagues use it. For them the only option at the moment is to use an old version with security risks or to use openvpn clients.

And for us it's a fact that we bought a licence for 10 concurrent users for VPN on the ASA and for several colleagues it's not working at the moment.

Anyway, thank you for your help, we are looking forward to the new 64bit version.

Thank you.

Kind regards

Klaus