12-25-2023 02:40 PM
I suddenly lost the ability to use AnyConnect VPN at Oregon State University when I upgraded from Debian 11 to Debian 12. After entering my login credentials and the Duo Mobile code from the university's MFA, I get a Cisco AnyConnect banner asking me to Accept. Clicking on that results in the messages: AnyConnect was not able to establish a connection to the specified secure gateway ... The certificate on the secure gateway is invalid. A VPN connection will not be established. I can connect to the VPN as root.
I posted the syslog from an unsuccessful connection attempt on the Debian user forums here , under 2023-12-23. It suggests a certificate error, like those talked about here . I tried the solutions suggested there, without success, but that could be because I don't really understand how to edit /opt/cisco/anyconnect/profile/AnyConnectProfile.xsd .
Information Services at OSU has so far not been able to help.
Solved! Go to Solution.
01-05-2024 11:35 AM
Thank you very much for the response, and for pointing me to the Fedora thread, where I found a solution: in the file /opt/cisco/anyconnect/AnyConnectLocalPolicy.xml, in the line <ExcludeFirefoxNSSCertStore>false</ExcludeFirefoxNSSCertStore> , replace false by true . That change finally allows me to connect to the VPN on Debian 12 without root privileges.
I'm not sure why this works, but I think it has something to do with giving the user access to the two *.pem files in /opt/.cisco/certificates/ca . From this Cisco documentation: OCSP is used to verify the entire certificate chain and only works with PEM File Certificate Store (by setting Exclude Firefox NSS Cert Store to True).
I don't know what changed between Debian 11 and 12 to make this tweak necessary. For the record, I upgraded to Debian 12; I did not do a clean install. And the AnyConnect installation script provided by the university requires root privileges.
Thanks again.
01-04-2024 08:12 PM - edited 01-04-2024 08:18 PM
The client is most likely not launching with proper permissions to read the proper certificate store held within Linux based on prior experiences.
I can say that trying to install a higher version of AnyConnect will not work if the specified head-end package on their Firewall is of a lower version, you'll fail out completely. Additionally, the issue sounds like troubleshooting efforts should reside on the head-end (Firewall) as you've passed the authentication phase of DUO, and getting redirected to the head-end for connection establishment.
I took a look around, and you may be encountering this issue as reported by users when updating to Fedora found here: https://discussion.fedoraproject.org/t/anyconnect/90410.
I know Fedora and Debian are two entirely different distributions and prefer different kernels, but it could be worth looking into. Unfortunately, we need more information from either the Firewall (whoever manages your network at OSU), and debugs or output files might be too sensitive to post here. It is very challenging to troubleshoot from a user perspective. Let me know if the above article could help with any leads. But for now, I am betting it's a permissions issue. Sounds silly to ask, but did you install AnyConnect with elevated privileges? Was your upgrade a fresh clean wipe from Debian 11?
01-05-2024 11:35 AM
Thank you very much for the response, and for pointing me to the Fedora thread, where I found a solution: in the file /opt/cisco/anyconnect/AnyConnectLocalPolicy.xml, in the line <ExcludeFirefoxNSSCertStore>false</ExcludeFirefoxNSSCertStore> , replace false by true . That change finally allows me to connect to the VPN on Debian 12 without root privileges.
I'm not sure why this works, but I think it has something to do with giving the user access to the two *.pem files in /opt/.cisco/certificates/ca . From this Cisco documentation: OCSP is used to verify the entire certificate chain and only works with PEM File Certificate Store (by setting Exclude Firefox NSS Cert Store to True).
I don't know what changed between Debian 11 and 12 to make this tweak necessary. For the record, I upgraded to Debian 12; I did not do a clean install. And the AnyConnect installation script provided by the university requires root privileges.
Thanks again.
01-05-2024 11:50 AM
No problem. Glad we were able to get it resolved.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide