VPN issue: No valid certificates available for authentication

Started by icecream-guy, October 17, 2017, 10:16:23 AM

Previous topic - Next topic

icecream-guy

Windows users are getting the following error when trying to connect to Remote Access VPN. 

No valid certificates available for authentication.

Troubleshooting the Windows side of the house, we found that increasing the timeout value in the registry entry resolves the issue.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\TransactionTimeoutDelay
changed from 5 to 60.

Problem is that MAC users are having the same/similar issue when connecting to RAVPN,
since MAC's don't have a windows registry, well, modifying the registry will not work.

Anyone have seen this before and have a MAC solution?


:professorcat:

My Moral Fibers have been cut.

deanwebb

Get a PC. :problem?:

The issue could be linked to the time it takes to find the certificate on the device. Is there a way to have the VPN client target a specific cert out of all the certs on that box? Because if the device has done any amount of web surfing, it will have tons of certs to sort through.

Failing that, is there a config file on the MAC box that has a timeout setting?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

Quote from: deanwebb on October 17, 2017, 10:30:40 AM
Get a PC. :problem?:

The issue could be linked to the time it takes to find the certificate on the device. Is there a way to have the VPN client target a specific cert out of all the certs on that box? Because if the device has done any amount of web surfing, it will have tons of certs to sort through.

Failing that, is there a config file on the MAC box that has a timeout setting?

I think is the time from anyconnect starts the vpn connection process to the authentication itself,  default is 5 sec.
That's what I'm asking, if there is a timeout setting for the MAC.
:professorcat:

My Moral Fibers have been cut.

deanwebb

I'd look in the config files for the AnyConnect client, see if there's a setting there.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

I had something like this almost 4 years ago. Trying to go back through my email to work it out.

It's either that the SSL portal uses something like "domain.com/portal" I have got that error when missing off the /portal accidentally. The SSL server I have is an IOS router.
Or there's a NAT rule also using the WAN IP that is used for SSL VPN.

What happens when you browse / possibly run wireshark at the same time as trying to connect with a browser?

Also note this: http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118086-technote-anyconnect-00.html

The anyconnect client does some things in the background to detect if the user is on a public wifi hotspot behind a captive portal. For SSL VPN to work properly the anyconnect needs to be able to reach the SSL VPN server on port 80 as well as 443.. apparently.

icecream-guy

For us updating with the latest ActivClient fixed the issue.
:professorcat:

My Moral Fibers have been cut.