Showing results for 
Search instead for 
Did you mean: 

FlexVPN AnyConnect-EAP: the certificate on the secure gateway is invalid

I did configuration FlexVPN AnyConnect-Eap as following guide:

FlexVPN: AnyConnect IKEv2 Remote Access with AnyConnect-EAP

I did configuration on 3 routers ASR 1001 IOS XE 3.16S.

I enable BypassDownloader  and Disable Captive Portal Detection on the Profile and AnyConnectLocalPolicy.xml. But when i try to connect Anyconnect  Secure Mobility Client, Router 1 okie, but Router 2 and Router 3 has problem: "The certificate on the secured gateway is invalid. A VPN connection will not be established"

I debuged on 2 routers and the configuration not problem but the client tried to connect to the router through http and https ( router 1 not see that)

 4534 97.712816 TCP 66 [TCP Out-Of-Order] 50548 → 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1260 WS=4 SACK_PERM=1


Any help would be appreciated.




2 Replies 2

The FlexVPN server needs to authenticate itself against the clients, so you are getting invalid certificate errors I'd look there.
I assume the routers have a valid identity certificate and root certificate authenticated and enrolled?
What is the output of "show crypto pki certificates" on the router it does not work on?

Hi RJI, Thanks for reply,
I used my colleague account for this discussion. This is my account
So all router I did the command as you said, I created CA server on my router and the trustpoint, I do command crypto pki authentication trustpoint and crypto pki enrol trustpoint. It's ok, I think that my CA server and trustpoint has problem so, i do it again, and again.I think no problem with CA beacause you can see i IKEv2 debug file, it passed, after IKEv2 done, the client try to connect to https and http to the router, the same case I choose enable Captive Portal Detection in the profile. I guessed i had problem with multi profile and anyconnect policy in the client not effect. But I test on the mobile and another PC, it's still there

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: