cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
30520
Views
5
Helpful
9
Replies

No valid certificates available for authentication

arpit
Beginner
Beginner

I installed Anyconnect. When I login I get these two errors.

9 REPLIES 9

Rahul Govindan
Advocate
Advocate

Are you using any features like Always On or Trusted network detection with Anyconnect? This would require you to have trusted certificate on the ASA. Can you share what the Connection profile and Client XML profile settings are on the ASA?

And I believe the "no valid certificate" error is usually seen when you have set it do client certificate authentication. I have seen this pop up as a warning even during a AAA only connection if you have one other tunnel-group set to cert auth.

It's installed on a Windows Server 2016 hosted on AWS. I did no changes just a clean install. It runs fine on my Windows 7 machine. 

It seemed to me that there are no certificates for Anyconnect so I exported one from my machine and installed it here on the server. Didn't work. Please help..

Are you using client certificate based authentication on the ASA? When you exported the certificate from your Windows 7 machine and re-imported it, did you export the private key along with the certificate?

I am not sure if I imported the private key along. Any help how can I do that?

Any idea how to resolve the issue?

Hello @arpit

 

Can you share the DART file for AnyConnect in order to verify what happens when it tries to check the certificate on the machine?

 

https://supportforums.cisco.com/t5/security-documents/how-to-collect-the-dart-bundle-for-anyconnect/ta-p/3156025

 

HTH

Gio

hi rahul , can you please eloborate what do u mean by client profile and how to import it ?.

Chris Ingram
Beginner
Beginner

This seemed like an odd issue, to me.  I have a user that is getting this exact same error but this tunnel group on this ASA is not even configured for certificate authentication.  I'm pasting the user's message below because the user provided log messages for the failures.  I'm going to request the successful attempt logs, too.  I wouldn't have believed this if I didn't see the URL myself.  However, after reading the posts above I decided to look at the DAP and found that always on is enabled on every policy in the DAPs.  Now I'm wondering if that is the culprit.

 

I seem to have difficulty connecting to the VPN and get the error that "No valid certificates available for authentication." This isn't the first time I've had this issue, but it was the first time it took so long to get it to finally connect.
 
Here is the log from my trying yesterday morning. I'm not sure what eventually made it work, but it did. Is there something I am doing wrong? It took me 20 minutes before I was able to get connected. Unfortunately I didn't go back and add the log messages from the successful connection.
 
10/25/2017
 6:12:14 AM Ready to connect.
 6:13:57 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].
 6:14:57 AM Connection attempt has failed.
 6:14:58 AM No valid certificates available for authentication.
 6:14:58 AM Connection attempt has failed.
 
 6:15:14 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].
 6:16:14 AM Connection attempt has failed.
 6:16:15 AM No valid certificates available for authentication.
 6:16:15 AM Connection attempt has failed.
 
 6:16:40 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].
 6:17:40 AM Connection attempt has failed.
 6:17:41 AM No valid certificates available for authentication.
 6:17:41 AM Connection attempt has failed.
 
 6:17:49 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].
 6:18:49 AM Connection attempt has failed.
 6:18:50 AM No valid certificates available for authentication.
 6:18:50 AM Connection attempt has failed.
 
 6:19:07 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].
 6:20:07 AM Connection attempt has failed.
 6:20:08 AM No valid certificates available for authentication.
 6:20:08 AM Connection attempt has failed.
 
REBOOT
 
10/25/2017
 6:24:46 AM Ready to connect.
 6:28:02 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].
 6:29:02 AM Connection attempt has failed.
 6:29:03 AM No valid certificates available for authentication.
 6:29:03 AM Connection attempt has failed.
 
 6:30:04 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].
 6:31:04 AM Connection attempt has failed.
 6:31:05 AM No valid certificates available for authentication.
 6:31:05 AM Connection attempt has failed.
 
 6:31:49 AM Contacting [URL ENABLED FOR ANYCONNECT ON ASA].
 6:32:19 AM User credentials entered.
 6:32:19 AM Establishing VPN session...
 6:33:10 AM Connection attempt has failed.

Hello Chris,

 

Did you find a solution to your issue? We are in the same boat. No certificate authentication enabled, but we still get this error.

 

I see in the error log that the client is submitting a certificate, and the ASA reports "Certificate validation failed. No suitable trustpoints found to validate certificate serial number"... with the serial number of a certificate in the client machine (self-signed, and self-selected - that is, we did not specify which one to use).

 

I have seen a page that mentioned that certificate validation is mandatory (?!), and I wonder if it is being used in *addition* to whatever you use for authentication. https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html#anc9

 

Thank you,

 

Pablo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: