AnyConnect not able to establish a connection to the specified secure gateway

AnyConnect was not able to establish a connection to the specified secure gateway – Cisco VPN Linux / RedHat and RHEL / Ubuntu, Debian:

Scenario:

When using the Linux Cisco AnyConnect client x64 (like MAC, Ubuntu, Redhat RHEL and Debian) you might get the error above or if you connect through command like you might get the following errors:

>/opt/cisco/anyconnect/bin/vpn connect vpn.domain.com
Cisco AnyConnect Secure Mobility Client (version 3.1.02043) .

Copyright (c) 2004 - 2013 Cisco Systems, Inc.  All Rights Reserved.

  >> state: Disconnected
  >> state: Disconnected
  >> notice: Ready to connect.
  >> registered with local VPN subsystem.
  >> contacting host (vpn.domain.com) for login information...
  >> notice: Contacting vpn.domain.com.
VPN> AnyConnect cannot verify the VPN server: vpn.domain.com
Connecting to this server may result in a severe security compromise!
AnyConnect is configured to block untrusted VPN servers by default.  
Most users choose to keep this setting.
If this setting is changed, 
AnyConnect will no longer automatically block connections to potentially malicious network devices.

Change the setting that blocks untrusted connections? [y/n]: y

Changing this VPN Preference may result in a severe security compromise!

Change the setting that blocks untrusted connections? [y/n]: y
  >> warning: Connection attempt has failed.
  >> state: Disconnected


>sudo /opt/cisco/anyconnect/bin/vpn connect vpn.domain.com
Cisco AnyConnect Secure Mobility Client (version 3.0.07059) .

Copyright (c) 2004 - 2012 Cisco Systems, Inc.
All Rights Reserved.


>> state: Disconnected
>> state: Disconnected
>> notice: Ready to connect.
>> registered with local VPN subsystem.
>> contacting host (vpn.domain.com) for login information...
>> notice: Contacting vpn.domain.com.
VPN>
>> Please enter your username and password.
Group: VPNGroup

Username: [UserName] UserName
Password:
>> state: Connecting
>> notice: Establishing VPN session...
>> error: AnyConnect was not able to establish a connection to the 
specified secure gateway. Please try connecting again.
>> notice: Connection attempt has failed.
>> state: Disconnected

Resolution:

1- Before you start troubleshooting the issue on the client side, make sure SSL certificates are installed and configured properly on the ASA. Go to http://www.digicert.com/help/ and test your server SSL certificate, if you see any issues, talk to your system admin to fix. In addition to your company SSL certificate, intermediate certificate from the ssl provider needs to be installed on the asa too, and that web tool can show you any issues in that regard (this is a common issue – missing intermediate cert) .

2- Important: Upgrade to the latest Cisco AnyConnect client. You can download that from the cisco TAC site but you need a username and a password. The latest version of Anyconnect as of this article is 3.1.04066.

3- In one of the cases the Cisco ASA had a Go Daddy SSL Certificate. Copying Go Daddy certificate from that Linux SSL Certificate folder to Cisco SSL certificate folder on the linux machine forced Anyconnect to trust that certificate.

sudo cp /etc/ssl/certs/Go* /opt/.cisco/certificates/ca/

If you are using a different 3rd party SSL certificate on the ASA, then you need to copy that certificate the same way

You can also copy all the certificates from /etc/ssl/certs/ to /opt/.cisco/certificates/ca/ if you are not sure what certificate you are using.

If you get this error in Windows make sure you stop Internet Sharing service in Windows services

If you find this article helpful, please send us a note to Mike@bostonIT.com so I can keep on adding quality hands-on articles.

1 reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.