Fix Cisco AnyConnect Certificate Validation Failure Problem

This problem occurs exclusively with the Cisco AnyConnect VPN for Windows, Mac, and Linux client. In business settings, the application is commonly utilised in order to link computers into a secure, efficient network, providing even another reason for a quick repair. But anything may go wrong at any time, and this technology is no exception. When employees need help with their networks, they are often forced to fend for themselves since they have no direct line to a network professional to turn to for assistance Those are the occasions when we’d be most willing to help. The “VPN certificate validation failure” issue will be shown in this example.

1. Go through standard troubleshooting steps

Check to see whether the issue isn’t a glitch, bug, or temporary outage before you begin a series of unneeded activities. Going through the “VPN connection failed” process from steps 1 to 6 is what we mean. Error fix guide for “The Request was aborted.” In the event that it doesn’t work, keep going.

2. Double-check the VPN client profile

The hostname and host address should be checked to make sure they are still valid. Even if you haven’t made any modifications to the server or the client, your network administrator may have done so. We’ll use the Cisco AnyConnect VPN client profile for macOS to show this:

In the “/opt/cisco/anyconnect/profile” folder, look for the.XML profile file.

Verify that the italicised text below is still accurate:

<ServerList>
                        <HostEntry>
                                    <HostName> Hostname for VPN </HostName>
                                    <HostAddress> FQDN (Fully Qualified Domain Name) or server’s IP address </HostAddress>
                        </HostEntry>
</ServerList>

3. Has the SSL/TLS certificate expired?

The expiry of the SSL certificate is a typical source of the “VPN certificate validation failure” issue. Prior to 2021, they were given for a year and a half at a time; however, that will be reduced to 12 or 13 months (397 days). We’ll use the ASDM client to show verifying the expiry date of SSL/TLS certificates:

  • Start ASDM on your device and operating system. When it comes to ASA, we’ll be using the Windows-based Cisco ASDM.
  • Navigate to the top-left corner’s Configuration tab.
  • Take a look at the certificate management section under Device Management.
  • Select CA Certificates from the drop-down menu that appears.
  • On the right-hand side, click the Show Details option.
  • Check the dates provided under Valid From and Valid To on the General tab.

4. Install a new SSL or TLS certificate

Assuming your certificate has expired, you know how to repair the “VPN certificate validation failure” problem. Take a look at this list:

Steps 1 to 4 above should be followed.

  • To get rid of any expired certificates, select them and then click the Delete option.
  • Renew your certifications now.
  • Tip: To illustrate this, we’ll use the “DigiCert CA” chain certificates available at www.digicert.com/digicert-root-certificates.htm: High Assurance EV Root CA and SHA2 High Assurance Server CA.
  • Go return to the CA Certificates box and click the Add button once you’ve downloaded.
  • Click on the “Install from a file” button on the Install Certificate window.
  • Select a digital certificate file by clicking on Browse…, then click on Install.
  • Click Install Certificate and then Send at the Preview CLI Commands screen to install the certificate.
  • Steps 4-8 should be repeated for the other certificate.

I want to use the PEM client certificate. What should I do?

It seems like you’re running Linux or Mac OS X using AnyConnect VPN. If you haven’t done so before, get the client certificate and associated private key and set them in this location:

5. Configure cryptography

Despite the fact that this may be done in the GUI, it is much more efficient to use CLI (command line interface) commands. Here’s a few ideas:

1. Allowing SSL client certificates to be used on the outside

When you get the “VPN certificate validation failure” message, follow Cisco’s lead and do this. In other words, it makes the client-side certificates public. How do we go about it?

Start Cisco Client CLI by using the command:

  • Windows. It’s best to open the vpncli.exe programme located in the C:ProgramFiles section of your computer’s hard drive.
  • Linux or Macintosh. Open the file vpn in the “/opt/cisco/anyconnect/bin/” directory.
  • Before you click Enter, paste the following command:
    port 443 of the ssl certificate-authentication interface
  • Clarification. This assumes you’re already using IKEv2/IPSec as your preferred encryption protocol. Replace port 443 with the port number that corresponds to the new security protocol you’d want to use.

2. Fixing TLS version mismatch and changing cryptography method

Using TLS 1.0 or 1.1 may be due to a problem with your VPN client, which may be out-of-of-date or incompatible. When you try to negotiate TLS 1.2 with your cryptography, this causes an issue. Open the CLI and try one of the following three options to repair the problem:

  • Change cipher version by entering:
    ssl cipher tlsv1.2
  • Adjust TLS 1.2 cipher to use stronger cipher suites by entering this code:
    ssl cipher tlsv1.2 custom “AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5”
  • Configure the DTLS version and its cipher suites. Type the following command:
    ssl cipher dtlsv1 custom “AES256-SHA:AES128-SHA:DES-CBC3-SHA” 

6. Enable or disable Windows OCSP Service Nonce

If you don’t already know, Microsoft Windows utilises RFC 5019, but Cisco AnyConnect VPN’s ASA is only RFC 2560 compatible. This means that Windows will not recognise ASA certificates, and hence will output “VPN certificate validation failure” as a result. In order to solve this problem, you have two options:

1. Enable OCSP Nonce on Windows Server

Is your Windows Server running an OCSP responder? If this is the case, proceed as follows:

  • Open the OCSP responder client on your Windows Server.
  • In Administrative Tools, choose Online Responder Management and then click on Responder Management.
  • The Revocation Configuration option may be found in the left sidebar by clicking on the link.
  • Edit the properties of your certificate by right-clicking and selecting Edit Properties.
  • Enable NONCE extension support is checked on the Signing tab.

2. Disable Nonce via ASA TrustPoint

Although Cisco recommends the method above, you can also try to disable OCSP via the CLI. After launching the appropriate interface, use these commands:

  • ASA(config)# crypto ca trustpoint WIN-2K12-01_Root_CA
  • ASA(config-ca-trustpoint)# ocsp disable-nonce

Read More: How to Fix a TV Screen that is Too Dark

Video Guide

What is VPN certificate error?

One or more of the following may result in this error: The browser does not have faith in the SSL-VPN appliance’s certificate. The name on the certificate does not match the address bar name in the browser. The CA certificate cannot be imported into the browser because the issuer cannot be trusted.

How do I update a Cisco VPN certificate?

Make sure you’ve selected “Device Management” as a sub-option in ASDM. “Advanced” and “SSL Settings” are the places to look. It’s possible to edit a WebVPN session’s termination interface from the “Certificates” section. Select the freshly installed certificate from the “Certificate” drop-down, then “OK,” and finally “Apply.”

Why is my Cisco AnyConnect not working Login failed?

When using the Web VPN gateway or the Cisco AnyConnect client to connect into the Campus or 2-factor VPN services, you may see the “Login failed” error message if you provide an inaccurate or invalid username and password combination.

Bryan V. Root
Bryan V. Root
Articles: 460

Leave a Reply

Your email address will not be published.