Guides

How to Fix VPN Certificate Validation Failure Error

Dan ParkerDan Parker
AnyConnect-Certificate-Validation-Error0001

If you are subscribed to and use the Cisco AnyConnect VPN client on your Windows, Mac or Linux, then, you must probably have already encountered the following error, “VPN certificate valid failure error“.

This error is actually exclusive to Cisco AnyConnect VPN. Since Cisco AnyConnect VPN is often times used in a business setting and interconnecting computers for secured network, solving the mentioned issue is often times a priority. 

Though Cisco AnyConnect VPN is a reliable and trustworthy VPN service provider, just like any other services, there are some instances when something could go wrong and are highly unexpected and in this article, we shall provide you some ways to Fix the VPN Certificate Validation Error

Go through standard troubleshooting steps

This is the first step that you must try to do before doing anything else. Check and ensure that the problem is not occurring due to temporary downtime or there aren’t any glitches or bugs. If all is clear and the problem still exists, then, follow the other steps provided below.

Double check the VPN client profile

You would need to check and verify the hostname and host address. Ensure that they are still valid. Do this step even when you have made changes manually.

  • Look for the profile with an .XML extension in the /opt/cisco/anyconnect/profile folder
  • Confirm if it is correct and the same as:

<ServerList>

<HostEntry>

<HostName>Hostname for VPN</HostName>

<HostAddress>FQDN (Fully Qualified Domain Name)

or server’s IP address</HostAddress>

        </HostEntry>

</ServerList>

Has the SSL/TLS certified expired?

Another reason as to why you would experience the mentioned error is due to your SSL/TLS certificate being expired. To do this, all you have to do is follow the steps provided below:

  • Open ASDM interface for device and operating system
  • Select the Configuration tab found on the top left corner
  • Select Device Management
  • Select Certificate Management
  • Select CA Certificates
  • Select Show Details button found on the right hand side
  • On the General tab, check the dates found under Valid From and Valid To
Must Read  3 Critical Vulnerabilities of Cloud Computing and How to Fix Them

Install a new SSL or TLS certificate

  • Follow step 1 to step 5 as seen above
  • Highlight expired certificates
  • Select delete button
  • Download renewed certificates
  • Navigate back to CA Certificates and click the add button
  • Select install from file button
  • Click Browse
  • Select digital certificate file
  • Click Install
  • Click Install Certificate
  • Select Send at Preview CLI Commands prompt
  • Repeat steps 4 to 8 for other certificate file

I want to use the PEM client certificate. What shall I do?

If you have not yet installed certificates, you could download client certificate and its private key. Then send them at

  • “~/.cisco/certificates/client/” (certificate here)
  • “~/.cisco/certificates/client/private/”(private key here)

Keep in mind that the certificate must end with .pem and the private key must end with .key. Moreover, you have to ensure that they must have identical file names

Configure cryptography

You could do this by running the CLI or command-line interface.

Allow SSL Client certificates to be used on the outside

  • Launch Cisco Client CLI:
    • Windows- navigate to “C:/Program Files/Cisco/Cisco AnyConnect Secure Mobility Client”.
      • Open the file name vpncil.exe
    • Mac- go to “/opt/cisco/anyconnect/bin/”location
  • Paste the the command ssl certificate-authentication interface outside port 433 and press enter
  • Clarification.  This is if you are using IKeV2/IPSec by default. If you are using a different security protocol, replace 443 with the port which it communicates over.

Fix TLS version mismatch and changing cryptography

  • Cnage cipher version : ssl cipher tlsv1.2
  • Adjust TLS 1.3 cipher to use stronger cipher suites. Enter the code: ssl cipher tlsv1.2 custom “AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5”
  • Confirgure the DTLS version and its cipher suits. Type the command: ssl cipher dtlsv1 custom “AES256-SHA:AES128-SHA:DES-CBC3-SHA”

Enable or disable Windows OCSP Service Nonce

Enable OCSP Nonce on Windows Server

  • Open your Windows Server OCSP responder client
  • Navigate to Administrative Tools
  • Go to Online Responder Management
  • Select Revocation Configuration option
  • Right click on your certificate
  • Select Edit properties
  • Put a checkmark on the signing tab in front of Enable Nonce extension support
Must Read  How to Choose a VPN for Gaming

Disable Nonce via ASA TrustPoint

  • ASA(config)#crypto ca trustpoint WIN-2K12-01_Root_CA
  • ASA(config-ca-trustpoint)# ocsp disable-nonce
Share.
Dan Parker

Dan is a technology reporter from San Jose, California, currently living right in the heart of Silicon Valley. Raised around tech, he's found interests in various gadgets and the companies that make them for years. When not blogging about tech, he can be found hunting for music, shredding the slopes in South Lake, or whipping up a dish for friends in the kitchen.

Related Posts