Re: No valid certificates available for authentication

arpit · ‎03-09-2017

I installed Anyconnect. When I login I get these two errors.

Rahul Govindan · ‎03-09-2017

Are you using any features like Always On or Trusted network detection with Anyconnect? This would require you to have trusted certificate on the ASA. Can you share what the Connection profile and Client XML profile settings are on the ASA?

And I believe the "no valid certificate" error is usually seen when you have set it do client certificate authentication. I have seen this pop up as a warning even during a AAA only connection if you have one other tunnel-group set to cert auth.

arpit · ‎03-09-2017

It's installed on a Windows Server 2016 hosted on AWS. I did no changes just a clean install. It runs fine on my Windows 7 machine.

It seemed to me that there are no certificates for Anyconnect so I exported one from my machine and installed it here on the server. Didn't work. Please help..

Rahul Govindan · ‎03-16-2017

Are you using client certificate based authentication on the ASA? When you exported the certificate from your Windows 7 machine and re-imported it, did you export the private key along with the certificate?

arpit · ‎03-17-2017

I am not sure if I imported the private key along. Any help how can I do that?

arpit · ‎03-16-2017

Any idea how to resolve the issue?

GioGonza · ‎10-26-2017

Hello @arpit,

Can you share the DART file for AnyConnect in order to verify what happens when it tries to check the certificate on the machine?

https://supportforums.cisco.com/t5/security-documents/how-to-collect-the-dart-bundle-for-anyconnect/ta-p/3156025

HTH

Gio

atulpal singh · ‎02-04-2019

hi rahul , can you please eloborate what do u mean by client profile and how to import it ?.

Chris Ingram · ‎10-26-2017

This seemed like an odd issue, to me. I have a user that is getting this exact same error but this tunnel group on this ASA is not even configured for certificate authentication. I'm pasting the user's message below because the user provided log messages for the failures. I'm going to request the successful attempt logs, too. I wouldn't have believed this if I didn't see the URL myself. However, after reading the posts above I decided to look at the DAP and found that always on is enabled on every policy in the DAPs. Now I'm wondering if that is the culprit.

I seem to have difficulty connecting to the VPN and get the error that "No valid certificates available for authentication." This isn't the first time I've had this issue, but it was the first time it took so long to get it to finally connect.

Here is the log from my trying yesterday morning. I'm not sure what eventually made it work, but it did. Is there something I am doing wrong? It took me 20 minutes before I was able to get connected. Unfortunately I didn't go back and add the log messages from the successful connection.

10/25/2017

6:12:14 AM Ready to connect.

6:13:57 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].

6:14:57 AM Connection attempt has failed.

6:14:58 AM No valid certificates available for authentication.

6:14:58 AM Connection attempt has failed.

6:15:14 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].

6:16:14 AM Connection attempt has failed.

6:16:15 AM No valid certificates available for authentication.

6:16:15 AM Connection attempt has failed.

6:16:40 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].

6:17:40 AM Connection attempt has failed.

6:17:41 AM No valid certificates available for authentication.

6:17:41 AM Connection attempt has failed.

6:17:49 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].

6:18:49 AM Connection attempt has failed.

6:18:50 AM No valid certificates available for authentication.

6:18:50 AM Connection attempt has failed.

6:19:07 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].

6:20:07 AM Connection attempt has failed.

6:20:08 AM No valid certificates available for authentication.

6:20:08 AM Connection attempt has failed.

REBOOT

10/25/2017

6:24:46 AM Ready to connect.

6:28:02 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].

6:29:02 AM Connection attempt has failed.

6:29:03 AM No valid certificates available for authentication.

6:29:03 AM Connection attempt has failed.

6:30:04 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].

6:31:04 AM Connection attempt has failed.

6:31:05 AM No valid certificates available for authentication.

6:31:05 AM Connection attempt has failed.

6:31:49 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].

6:32:19 AM User credentials entered.

6:32:19 AM Establishing VPN session...

6:33:10 AM Connection attempt has failed.

PabloD · ‎12-13-2017

Hello Chris,

Did you find a solution to your issue? We are in the same boat. No certificate authentication enabled, but we still get this error.

I see in the error log that the client is submitting a certificate, and the ASA reports "Certificate validation failed. No suitable trustpoints found to validate certificate serial number"... with the serial number of a certificate in the client machine (self-signed, and self-selected - that is, we did not specify which one to use).

I have seen a page that mentioned that certificate validation is mandatory (?!), and I wonder if it is being used in *addition* to whatever you use for authentication. https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html#anc9

Thank you,

Pablo

AnderB · ‎02-06-2023

Buenos dias.

Tengo un problema a la hora de realizar la conexion de cisco anyconnect.

Necesitaria ayuda para poder solucionar este tema.