How to Fix VPN Certificate Validation Failure Error
If you are subscribed to and is using Cisco AnyConnect VPN client on your Windows, Mac or Linux, then, you must have encountered the error, VPN certificate valid failure error. This error is actually exclusive to Cisco AnyConnect VPN. Since Cisco AnyConnect VPN is often times used in the business setting and interconnecting computers for secured network, solving the mentioned issue is often times a priority.
Though Cisco AnyConnect VPN is a reliable and trustworthy VPN service provider, just like any other services, there are some instances when something could go wrong and are highly unexpected and in this article, we shall provide you some ways to How to Fix VPN Certificate Validation Error
Go through standard troubleshooting steps
This is the first step that you must try to do before doing anything else. Check and ensure that the problem is not occurring due to temporary downtime or there aren’t any glitches or bugs. If all is clear and the problem still exists, then, follow the other steps provided below.
fix and solve the mentioned error, VPN certificate validation failure.
Double check the VPN client profile
You would need to check and verify the hostname and host address. Ensure that they are still valid. Do this step even when you have made changes manually.
- Look for the profile with an .XML extension in the /opt/cisco/anyconnect/profile folder
- Confirm if it is correct and the same as:
<ServerList>
<HostEntry>
<HostName>Hostname for VPN</HostName>
<HostAddress>FQDN (Fully Qualified Domain Name)
or server’s IP address</HostAddress>
</HostEntry>
</ServerList>
Has the SSL/TLS certified expired?
Another reason as to why you would experience the mentioned error is due to your SSL/TLS certificate being expired. To do this, all you have to do is follow the steps provided below:
- Open ASDM interface for device and operating system
- Select the Configuration tab found on the top left corner
- Select Device Management
- Select Certificate Management
- Select CA Certificates
- Select Show Details button found on the right hand side
- On the General tab, check the dates found under Valid From and Valid To
Install a new SSL or TLS certificate
- Follow step 1 to step 5 as seen above
- Highlight expired certificates
- Select delete button
- Download renewed certificates
- Navigate back to CA Certificates and click the add button
- Select install from file button
- Click Browse
- Select digital certificate file
- Click Install
- Click Install Certificate
- Select Send at Preview CLI Commands prompt
- Repeat steps 4 to 8 for other certificate file
I want to use the PEM client certificate. What shall I do?
If you have not yet installed certificates, you could download client certificate and its private key. Then send them at
- “~/.cisco/certificates/client/” (certificate here)
- “~/.cisco/certificates/client/private/”(private key here)
Keep in mind that the certificate must end with .pem and the private key must end with .key. Moreover, you have to ensure that they must have identical file names
Configure cryptography
You could do this by running the CLI or command-line interface.
Allow SSL Client certificates to be used on the outside
- Launch Cisco Client CLI:
- Windows- navigate to “C:/Program Files/Cisco/Cisco AnyConnect Secure Mobility Client”.
- Open the file name vpncil.exe
- Mac- go to “/opt/cisco/anyconnect/bin/”location
- Open file named vpn
- Windows- navigate to “C:/Program Files/Cisco/Cisco AnyConnect Secure Mobility Client”.
- Paste the the command ssl certificate-authentication interface outside port 433 and press enter
- Clarification. This is if you are using IKeV2/IPSec by default. If you are using a different security protocol, replace 443 with the port which it communicates over.
Fix TLS version mismatch and changing cryptography
- Cnage cipher version : ssl cipher tlsv1.2
- Adjust TLS 1.3 cipher to use stronger cipher suites. Enter the code: ssl cipher tlsv1.2 custom “AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5”
- Confirgure the DTLS version and its cipher suits. Type the command: ssl cipher dtlsv1 custom “AES256-SHA:AES128-SHA:DES-CBC3-SHA”
Enable or disable Windows OCSP Service Nonce
Enable OCSP Nonce on Windows Server
- Open your Windows Server OCSP responder client
- Navigate to Administrative Tools
- Go to Online Responder Management
- Select Revocation Configuration option
- Right click on your certificate
- Select Edit properties
- Put a checkmark on the signing tab in front of Enable Nonce extension support
Disable Nonce via ASA TrustPoint
- ASA(config)#crypto ca trustpoint WIN-2K12-01_Root_CA
- ASA(config-ca-trustpoint)# ocsp disable-nonce