Cisco Anyconnect SSL VPN Client Certificate Error

[Yoann Juet]

I've just upgraded to Ubuntu 8.10 (32bits) and notice that AnyConnect version 2.2.0140 doesn't work anymore. I get a certificate error...

VPN> jdoe@aspirept/cisco/vpn/bin$ strace ./vpn connect mygateway 2>/tmp/1.txt
Cisco AnyConnect VPN Client (version 2.2.0140).

Copyright (c) 2004 - 2008 Cisco Systems, Inc.
All Rights Reserved.


>> state: Disconnected
>> notice: VPN Service is available.
>> registered with local VPN subsystem.
>> state: Disconnected
VPN> >> contacting host (mygateway) for login information...
>> notice: Contacting mygateway.
>> warning: Unable to process response from mygateway.
>> error: Connection attempt has failed due to server certificate problem.
>> state: Disconnected


This issue is solved by adding the following symlink :

sudo ln -s /usr/lib/nss/libnssdbm3.so /usr/lib/libnssdbm3.so

Hope this helps
Regards,

[pacmansyu]

Hello all, I'm running Ubuntu 8.10, 32 bit, installed the vpnagent and started the daemon via sudo /etc/init.d/vpnagentd_init start... it starts fine. When I attempt to run /opt/cisco/vpn/bin/vpn connect xxxx.com, I get the following:

Cisco AnyConnect VPN Client (version 2.2.0140).

Copyright (c) 2004 - 2008 Cisco Systems, Inc.
All Rights Reserved.


>> warning: No profile is available. Please enter host to "Connect to".
>> state: Disconnected
>> notice: VPN Service is available.
>> registered with local VPN subsystem.
>> state: Disconnected
VPN> connect xxxxx.com
>> contacting host (xxxxx.com) for login information...
>> notice: Contacting xxxxx.com.
>> notice: Downloading Cisco Secure Desktop ...
VPN> shift: 16: can't shift that many
>> error: Unable to launch Cisco Secure Desktop. If you are already on the
Secure Desktop, use the "Launch Login Page" button on the desktop.
>> state: Disconnected
VPN>



.... has anyone seen this (the shift error in particular)? I've run an strace on the command, and found all the calls to various libraries (which seems to be a common issue), but the system is always able to find every lib. Any help is appreciated. Thanks.

[casevh]

I've seen it.

It is a bug in the current production versions of the AnyConnect client and Secure Desktop(*). I've tested the beta releases of the AnyConnect client and Secure Desktop and they do work. At the moment, I've only tested on 32-bit Ubuntu. I will test with 64-bit Ubuntu over the weekend. I will post an update to this thread then.

casevh

(*) Roughly speaking, Secure Desktop is a plugin for the AnyConnect client (or a web browswer) that allows the remote access server to do host scan (checking for firewall and anit-virus software, for example) or provide a very secure web browser environment (i.e. prevent other applications from running at the same time, erase all files from the browswer cache, etc.)

[casevh]

Update: I am able to connect successfully from 32-bit (8.10) and 64-bit (8.04) using Cisco's latest beta AnyConnect client 2.3.0167 and beta Secure Desktop 3.4.0369.

On the 64-bit platform, I needed to add an additional 32-bit library - libcurl.so.4.1.0 - to /usr/lib32.

casevh

[btmspox]

Made another pass on a separate amd64 / x86_64 intrepid workstation and got it working.

Do not run the 'vpn' or 'vpnui' binaries as root (or via sudo).

Code:

# downloaded the latest Linux Anyconnect client from http://www.cisco.com
tar -xvzf anyconnect-linux-2.3.0185-k9.tar.gz
cd ciscovpn/
sudo ./vpn_install.sh 

# Downloaded latest firefox from http://www.mozilla.com/en-US/firefox/
sudo tar -xvjf firefox-3.0.5.tar.bz2 -C /usr/local

for lib in libnssutil3.so libplc4.so libplds4.so libnspr4.so libsqlite3.so libnssdbm3.so libfreebl3.so ; do sudo ln -s /usr/local/firefox/$lib /opt/cisco/vpn/lib/$lib ; done

This was with 2.3.0185 with a public signed certificate. I then went back to the earlier workstation and ran 'vpn connect' not as root and it worked as well. That workstation has 2.2.0140 installed.

[wanchai]

Thanks to your postings here, especially casevh, I got my Cisco Annyconnect working as well. I was able to get rid of the certificate error rather quickly, but then the client would tell me that it is connected, but no traffic went through. In the terminal where I launched the agent, I saw some error that looked like "compr!Err" with no further explanation. A look into /var/log/syslog showed that the agent was looking for /usr/lib/libz.so. Another symlink and I was in business.

The only thing that's left is an error

XmlElement::translateWideToChar - memory leak

that sounds a bit scary. Both clients, vpn and vpnui, produce that. Any idea? I see this with Annyconnect version 2.0.0343 (sorry, my company doesn't have anything more recent and I don't have access to Cisco) running on Jaunty Alpha 3 (32 bit), but also on Gutsy.

[dishwishy]

I am running 64-bit 8.10 and the below instructions worked like a charm. I am using cert based authentication. Thanks to Casevh!

Are your running 32-bit or 64-bit version of Ubuntu?

If you are running 32-bit, do the following:

sudo ln -s /usr/lib/libnspr4.so.0d /usr/lib/libnspr4.so
sudo ln -s /usr/lib/libnss3.so.1d /usr/lib/libnss3.so
sudo ln -s /usr/lib/libplc4.so.0d /usr/lib/libplc4.so
sudo ln -s /usr/lib/libsmime3.so.1d /usr/lib/libsmime3.so

If you are running 64-bit, it's a little more complicated. You will need to install 32-bit Firefox and make a few other changes. The following steps work for me, but I'm not using certificates (yet).

1) Install "ia32-libs"
2) Install "lib32nss-mdns"
3) Install 32-bit Firefox. It MUST be installed into the /usr/local/firefox directory.
4) Several files from /usr/local/firefox must be copied or linked to either /usr/lib32 or /opt/cisco/vpn/lib.

libnssutil3.so
libplc4.so
libplds4.so
libnspr4.so
libsqlite3.so
libnssdbm3.so
libfreebl3.so

If this doesn't help, please give the exact error message.

casevh

[unk626]

Here's the error I'm seeing after following the advice above:

sergio@lenobo:~$ /opt/cisco/vpn/bin/vpn connect [ip address]
Cisco AnyConnect VPN Client (version 2.3.0254) .

Copyright (c) 2004 - 2009 Cisco Systems, Inc.
All Rights Reserved.


>> state: Disconnected
>> warning: No profile is available. Please enter host to "Connect to".
>> registered with local VPN subsystem.
>> state: Disconnected
VPN> >> contacting host (*.*.*.*) for login information...
>> notice: Contacting *.*.*.*
VPN>
>> Please enter your username and password.

Username: [*****] *****
Password:
>> notice: Establishing VPN - Checking for updates...
>> state: Connecting
VPN> /bin/sh: Can't open /tmp/vpnnspZL3/vpndownloader.sh
>> error: Unable to establish VPN.
>> state: Disconnected

From Syslog:

Apr 11 05:47:32 lenobo vpn: [p:29153 pp:26307]: ConnectMgr.cpp:1128 (0) processIfcData Authentication succeeded
Apr 11 05:47:32 lenobo vpn: [p:29153 pp:26307]: warning - ConnectIfc.cpp:1178 (0) ConnectIfc::getUpdateFileContent Unable to locate Update file
Apr 11 05:47:33 lenobo vpn: [p:29153 pp:26307]: warning - ConnectIfc.cpp:1009 (0) ConnectIfc::getDownloader Unable to locate downloader
Apr 11 05:47:33 lenobo vpn: [p:29153 pp:26307]: ConnectMgr.cpp:4443 (0) ConnectMgr :: launchdownloader Successfully downloaded the downloader
Apr 11 05:47:33 lenobo vpn: [p:29153 pp:26307]: ConnectMgr.cpp:4495 (0) ConnectMgr :: launchdownloader Successfully launched the downloader
Apr 11 05:47:33 lenobo vpn: [p:29153 pp:26307]: error - ConnectMgr.cpp:4512 (2) ProcessApi :: WaitForProcess Downloader terminated abnormally



I've tried using 2.3.0185 and 0254


Any ideas?

[wanchai]

Sergio, do you have the option to use a Web SSL? Does that work for you?

I had a similar problem not too long ago. What happened was that the company changed the Anyconnect version on the switch and they provided only the Windows client on their side. The clients that can be downloaded from the switch need to be installed somehow. When I tried to use the command line VPN I saw messages just like yours. When I logged in to the Web SSL VPN and tried to download the client from there it became very obvious that the Linux client was missing on the switch.

[casevh]

Wanchai is correct. In addition to installing the AnyConnect client on your computer, a similar version needs to be installed on the Cisco ASA box. When you connect via Web SSL and the AnyConnect client is not available for download, then it is not installed on the Cisco ASA. I found out the hard way when I tested a new version of AnyConnect on my computer before installing on the ASA.

casevh