VPN issue: No valid certificates available for authentication

[icecream-guy]

Windows users are getting the following error when trying to connect to Remote Access VPN. 

No valid certificates available for authentication.

Troubleshooting the Windows side of the house, we found that increasing the timeout value in the registry entry resolves the issue.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\TransactionTimeoutDelay
changed from 5 to 60.

Problem is that MAC users are having the same/similar issue when connecting to RAVPN,
since MAC's don't have a windows registry, well, modifying the registry will not work.

Anyone have seen this before and have a MAC solution?

[deanwebb]

Get a PC.

The issue could be linked to the time it takes to find the certificate on the device. Is there a way to have the VPN client target a specific cert out of all the certs on that box? Because if the device has done any amount of web surfing, it will have tons of certs to sort through.

Failing that, is there a config file on the MAC box that has a timeout setting?

[icecream-guy]

Get a PC.

The issue could be linked to the time it takes to find the certificate on the device. Is there a way to have the VPN client target a specific cert out of all the certs on that box? Because if the device has done any amount of web surfing, it will have tons of certs to sort through.

Failing that, is there a config file on the MAC box that has a timeout setting?

I think is the time from anyconnect starts the vpn connection process to the authentication itself,  default is 5 sec.
That's what I'm asking, if there is a timeout setting for the MAC.

[deanwebb]

I'd look in the config files for the AnyConnect client, see if there's a setting there.

[Dieselboy]

I had something like this almost 4 years ago. Trying to go back through my email to work it out.

It's either that the SSL portal uses something like "domain.com/portal" I have got that error when missing off the /portal accidentally. The SSL server I have is an IOS router.
Or there's a NAT rule also using the WAN IP that is used for SSL VPN.

What happens when you browse / possibly run wireshark at the same time as trying to connect with a browser?

Also note this: http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118086-technote-anyconnect-00.html

The anyconnect client does some things in the background to detect if the user is on a public wifi hotspot behind a captive portal. For SSL VPN to work properly the anyconnect needs to be able to reach the SSL VPN server on port 80 as well as 443.. apparently.

[icecream-guy]

For us updating with the latest ActivClient fixed the issue.