LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-12-2012, 10:57 AM   #1
markraves
LQ Newbie
 
Registered: Sep 2010
Distribution: Ubuntu & CentOS
Posts: 13

Rep: Reputation: 0
Where does the cisco anyconnect client load it's certificates?


Hello,
I've recently updated an ASA vpn concentrator at work. I've renewed the ssl certificates, nothing else.

Then, when I'm at my workstation or laptop, both running ubuntux64, The vpn client tells me that the remote gateway cannot be trusted.
Very ssl like this, so I tried to connect a third laptop, also running ubuntux64, and it connected like a charm. The only differences between the computers is that I've never connected the third to my work vpn gateway before.
So, I get that it's something wrong with some local files on my two other computers.

I tried to run the uninstall script found in /opt/cisco/..
And afterwards removed the whole /opt/cisco.

Tried reinstalling the client, but that didn't help. Exactly the same error message.

So, I think the problem is taht the anyconnet client stashes some certificates locally, and then instead of reading what's on the server, it uses the old certificates?

I have been unable to locate where exactly this happens. Does anyone have an idea about this? In my home dir, there is nothing but a preferences .xml in an anyconnect folder, no clue to what's wrong.

Out of the logs, it seems there is an issue server-side, but my 'unused' ubuntu works, windows workstations work I'm told, so the problem must reside client-side?

Pasting some essential logs as well:

Code:
Jan 11 16:10:29 workstation vpnui[15567]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
Jan 11 16:10:29 workstation vpnui[15567]: Function: getProfileNameFromHost File: ProfileMgr.cpp Line: 711 No profile available for host office-vpn.mycompany.org.
Jan 11 16:10:29 workstation vpnui[15567]: Function: getHostInitSettings File: ProfileMgr.cpp Line: 791 Profile () not found. Using default settings.
Jan 11 16:10:29 workstation vpnui[15567]: Message type information sent to the user: Contacting https://office-vpn.mycompany.org.
Jan 11 16:10:29 workstation vpnui[15567]: Function: loadProfiles File: ProfileMgr.cpp Line: 112 No profile is available.
Jan 11 16:10:29 workstation vpnui[15567]: Function: getProfileNameFromHost File: ProfileMgr.cpp Line: 711 No profile available for host office-vpn.mycompany.org.
Jan 11 16:10:29 workstation vpnui[15567]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
Jan 11 16:10:29 workstation vpnui[15567]: Function: getProfileNameFromHost File: ProfileMgr.cpp Line: 711 No profile available for host office-vpn.mycompany.org.
Jan 11 16:10:29 workstation vpnui[15567]: Function: getHostInitSettings File: ProfileMgr.cpp Line: 791 Profile () not found. Using default settings.
Jan 11 16:10:29 workstation vpnui[15567]: Function: enumerateCert File: Certificates/FileCertStore.cpp Line: 162 Invoked Function: enumerateCert Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND The /home/myusername/.cisco/certificates/client/ directory was not found.
Jan 11 16:10:29 workstation vpnui[15567]: Function: Enumerate File: Certificates/FileCertStore.cpp Line: 123 Invoked Function: Enumerate Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND 
Jan 11 16:10:29 workstation vpnui[15567]: Function: enumerateCert File: Certificates/FileCertStore.cpp Line: 162 Invoked Function: enumerateCert Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND The /opt/.cisco/certificates/client/ directory was not found.
Jan 11 16:10:29 workstation vpnui[15567]: Function: Enumerate File: Certificates/FileCertStore.cpp Line: 123 Invoked Function: Enumerate Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND 
Jan 11 16:10:29 workstation vpnui[15567]: Function: getCertList File: ApiCert.cpp Line: 257 Number of certificates found: 0
Jan 11 16:10:29 workstation vpnui[15567]: Initiating VPN connection to the secure gateway https://office-vpn.mycompany.org
Jan 11 16:10:29 workstation vpnui[15567]: Function: getUserName File: CTransportCurlStatic.cpp Line: 1917 PasswordEntry username is myusername
Jan 11 16:10:29 workstation vpnui[15567]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 399 Invoked Function: getProfilePath Return Code: -31391741 (0xFE210003) Description: CERTSTORE_ERROR_BAD_HANDLE 
Jan 11 16:10:29 workstation vpnui[15567]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391741 (0xFE210003) Description: CERTSTORE_ERROR_BAD_HANDLE 
Jan 11 16:10:29 workstation vpnui[15567]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 995 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391741 (0xFE210003) Description: CERTSTORE_ERROR_BAD_HANDLE 
Jan 11 16:10:29 workstation vpnui[15567]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391741 (0xFE210003) Description: CERTSTORE_ERROR_BAD_HANDLE 
Jan 11 16:10:29 workstation vpnui[15567]: Function: enumerateCert File: Certificates/FileCertStore.cpp Line: 162 Invoked Function: enumerateCert Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND The /home/myusername/.cisco/certificates/ca/ directory was not found.
Jan 11 16:10:29 workstation vpnui[15567]: Function: Verify File: Certificates/FileCertificate.cpp Line: 347 Invoked Function: X509_verify_cert Return Code: 20 (0x00000014) Description: unknown unable to get local issuer certificate
Jan 11 16:10:29 workstation vpnui[15567]: Function: VerifyServerCertificate File: Certificates/FileCertStore.cpp Line: 654 Invoked Function: CFileCertificate::Verify Return Code: -31326191 (0xFE220011) Description: CERTIFICATE_ERROR_VERIFY_CHAIN_POLICY_FAILED 
Jan 11 16:10:29 workstation vpnui[15567]: Function: enumerateCert File: Certificates/FileCertStore.cpp Line: 162 Invoked Function: enumerateCert Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND The /opt/.cisco/certificates/ca/ directory was not found.
Jan 11 16:10:29 workstation vpnui[15567]: Function: Verify File: Certificates/FileCertificate.cpp Line: 347 Invoked Function: X509_verify_cert Return Code: 20 (0x00000014) Description: unknown unable to get local issuer certificate
Jan 11 16:10:29 workstation vpnui[15567]: Function: VerifyServerCertificate File: Certificates/FileCertStore.cpp Line: 654 Invoked Function: CFileCertificate::Verify Return Code: -31326191 (0xFE220011) Description: CERTIFICATE_ERROR_VERIFY_CHAIN_POLICY_FAILED 
Jan 11 16:10:29 workstation vpnui[15567]: Function: VerifyServerCertificate File: Certificates/CertHelper.cpp Line: 167 Invoked Function: CCertStore::VerifyServerCertificate Return Code: -31326191 (0xFE220011) Description: CERTIFICATE_ERROR_VERIFY_CHAIN_POLICY_FAILED 
Jan 11 16:10:29 workstation vpnui[15567]: Function: sendRequest File: ConnectIfc.cpp Line: 2770 Invoked Function: CTransport::SendRequest Return Code: -29949919 (0xFE370021) Description: CTRANSPORT_ERROR_PEER_CERT_REJECTED 
Jan 11 16:10:29 workstation vpnui[15567]: Function: connect File: ConnectIfc.cpp Line: 410 Invoked Function: ConnectIfc::sendRequest Return Code: -29949919 (0xFE370021) Description: CTRANSPORT_ERROR_PEER_CERT_REJECTED 
Jan 11 16:10:29 workstation vpnui[15567]: Function: TranslateStatusCode File: ConnectIfc.cpp Line: 2618 Invoked Function: TranslateStatusCode Return Code: -29949919 (0xFE370021) Description: CTRANSPORT_ERROR_PEER_CERT_REJECTED AnyConnect cannot confirm it is connected to your secure gateway.  The local network may not be trustworthy.  Please try another network.
Jan 11 16:10:29 workstation vpnui[15567]: Function: doConnectIfcConnect File: ConnectMgr.cpp Line: 1399 Invoked Function: ConnectIfc::connect Return Code: -29949919 (0xFE370021) Description: CTRANSPORT_ERROR_PEER_CERT_REJECTED 
Jan 11 16:10:29 workstation vpnui[15567]: Message type warning sent to the user: Connection attempt has failed.
Jan 11 16:10:29 workstation vpnui[15567]: Function: processIfcData File: ConnectMgr.cpp Line: 1674 Content type (unknown) received. Response type (server cert error) from office-vpn.mycompany.org: 
Jan 11 16:10:29 workstation vpnui[15567]: Message type error sent to the user: AnyConnect cannot confirm it is connected to your secure gateway.  The local network may not be trustworthy.  Please try another network.

Last edited by onebuck; 01-14-2012 at 10:56 AM. Reason: Show member vbcode tag usage to make things easier to read
 
Old 01-14-2012, 10:58 AM   #2
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,013
Blog Entries: 1

Rep: Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364Reputation: 1364
Moderator response

Moved: This thread is more suitable in <Linux-Networking> and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 02-07-2012, 11:12 PM   #3
markraves
LQ Newbie
 
Registered: Sep 2010
Distribution: Ubuntu & CentOS
Posts: 13

Original Poster
Rep: Reputation: 0
bump anyone?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to setup Cisco AnyConnect with CentOS 6 32 bit rhbegin Linux - Networking 1 01-09-2012 04:34 PM
Cisco AnyConnect VPN high CPU (system) usage wastingtime Linux - Software 0 06-16-2011 09:39 AM
[SOLVED] Cisco Anyconnect 2.5.2019 metallica1973 Linux - Networking 1 04-26-2011 08:56 AM
cisco anyconnect VPN client installation?? zing_4u Linux - Networking 0 09-01-2010 09:14 AM
Cisco VPN Client unable to load kernel module in FC5 cuco76 Linux - Software 3 10-19-2006 10:11 AM


All times are GMT -5. The time now is 07:07 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration