Cisco Anyconnect SSL VPN Client Certificate Error

[rosv]

Hi,
I'm using the 32-bit version of 8.04
I get the same error message if I start the client from the command line.
I don't have access to the ubuntu machine right now so I can't post the log out put. Will do that as soon as I'm able to.

[rosv]

Hi,
I', using the 32-bit client. I get the same error message if I run AnyConnect for the command line or the GUI.

This is the output of my syslog:
Sep 29 13:41:53 localhost vpnui: warning - i18n/MsgCatalog.cpp:274 (0) MsgCatalog::setCatalog The message catalog <AnyConnect> is corrupt or could not be found.
Sep 29 13:41:53 localhost vpnui: ClientIfc.cpp:66 (0) vpnapi vpnapi version 2, 1, 0 Initializing.
Sep 29 13:41:53 localhost vpnui: error - Certificates/NSSCertUtils.cpp:301 (ffffe8a7) NSS_Init
Sep 29 13:41:53 localhost vpnui: warning - SDI/SDI.cpp:52 (fe2e0001) CRSASecurIDSDI
Sep 29 13:41:53 localhost vpnui: warning - SDIMgr.cpp:103 (fe2e0001) CSDI::createInstance
Sep 29 13:41:53 localhost vpnui: ClientIfc.cpp:153 (0) ClientIfc :: attach Client successfully attached.
Sep 29 13:42:03 localhost vpnui: warning - ProfileMgr.cpp:302 (0) ProfileMgr :: getHostInitSettings Profile settings not available for testsite.test.intra.
Sep 29 13:42:03 localhost vpnui: warning - ProfileMgr.cpp:302 (0) ProfileMgr :: getHostInitSettings Profile settings not available for testsite.test.intra.
Sep 29 13:42:03 localhost vpnui: error - Certificates/CollectiveCertStore.cpp:326 (fe210005) CCertStore::Enumerate
Sep 29 13:42:03 localhost vpnui: warning - Certificates/CertHelper.cpp:442 (fe21000e) CCertStore::Enumerate
Sep 29 13:42:03 localhost vpnui: error - ApiCert.cpp:113 (fe21000e) CCertStore::Enumerate
Sep 29 13:42:03 localhost vpnui: ConnectMgr.cpp:363 (0) ConnectMgr :: connect Initiating connection to: testsite.test.intra
Sep 29 13:42:03 localhost vpnui: error - Certificates/NSSCertStore.cpp:207 (fe220005) CNSSCertificate::Open
Sep 29 13:42:03 localhost vpnui: error - Certificates/NSSCertStore.cpp:396 (fe220005) OpenCertificate
Sep 29 13:42:03 localhost vpnui: warning - Certificates/CertHelper.cpp:131 (fe220005) CCertStore::VerifyServerCertificate
Sep 29 13:42:03 localhost vpnui: error - ConnectIfc.cpp:551 (fe000022) SendRequestToPeer
Sep 29 13:42:03 localhost vpnui: error - ConnectMgr.cpp:449 (fe000022) ConnectIfc::connect
Sep 29 13:42:03 localhost vpnui: error - ConnectMgr.cpp:586 (0) ConnectMgr :: processIfcData Unrecognized content type (Unknown) received.
Sep 29 13:42:03 localhost vpnui: error - ConnectMgr.cpp:607 (0) ConnectMgr :: processIfcData Unable to process response from testsite.test.intra.
Sep 29 13:42:03 localhost vpnui: ConnectMgr.cpp:626 (0) ConnectMgr :: processIfcData Connection attempt has failed due to server certificate problem.


Any ideas?

[casevh]

First, let's double-check that vpnagentd is running. It should be listed in the output from "ps -ef | grep vpn". If not, start it with "sudo /etc/init.d/vpnagentd_init start"

The AnyConnect client depends on several libraries distributed by FireFox. The following list of libraries must exist on your system:

libnss3.so
libplc4.so
libnspr4.so
libsmime3.so
libsoftokn3.so
libnssdbm3.so
libfreebl3.so
libnssutil3.so
libplds4.so
libsqlite3.so

Some of these files may have a slightly different name so you will need to create a symbolic link for the names the client is looking for.

If that doesn't help, it gets difficult. You'll need to use the command line version but run it using the strace utility. That will output all the operating system call. Then look for the last series of "not found" messages to see what file it is missing. The command is:

strace /opt/cisco/vpn/bin/vpn connect server_name 2>/tmp/debug.txt

Then look in debug.txt starting from the end and working to the front.

casevh

[rosv]

Hi,
The vpn service is running and all the files you listed are present.

I've attached the output of the strace. It seems like there's a lot of "not founds" in the output file.
I think my problem will be solved if I create symbolic links from wherever the AnyConnect thinks the files are located to where they actually are, no?

For example:
The file libnssdbm3.so is locate at /usr/lib/nss/ but AnyConnect is looking for it at /lib/i686/sse2/cmov/. So a ln -s /usr/lib/nss/libnssdbm3.so /lib/i686/sse2/cmov/ should solve it right?

[casevh]

"not founds" are fairly common. What you need to verify is that each file is eventually found. Typically, several directories are searched before the file is found.

On a 64-bit platform, I've needed to resort to a brute force approach. The AnyConnect client appears to always look in either /opt/cisco/vpn/lib or /usr/local/firefox first. So on 64-bit machines, I've downloaded the firefox binary from mozilla.com, untarred it and placed it in /usr/local/firefox, and then created symbolic links in /opt/cisco/vpn/lib for a few of the files. See a prior post for the names of the files.

What version of the client are you using? I'm currently using 2.2.0136. If you are using an older version, it may not support FireFox 3.0. (Just a guess.)

casevh

[rosv]

I'm using version 2.1. I would love to get my hands on 2.2 for Linux but Cisco do not appear to very keen on giving their software away. I guess you need a partner account at cisco.com to access the latest version

[jerich007]

Just wanted to say casevh's instructions worked for me on 64-bit Hardy.

• I installed the latest AnyConnect client (v.2.2).
• Installed latest Firefox3 from http://www.mozilla.com/en-US/firefox/
• copied the firefox install directory to /usr/local/firefox.
• Created the links, as indicated by casevh.

Now the pesky server certificate error went away. Instead, I was prompted to acknowledge the self-signed cert presented by my ASA firewall. Now I'm successfully connected to my network via SSLVPN.

Thanks!
- Jericho

[MRDutton]

I'm running Intrepid 64bit. I just wanted to note that you don't need Firefox 32-bit to get this to work. The libraries that casevh lists can also be found in the 32-bit Intrepid repo's.

The deb's that I got the 32-bit libs from were:
libnspr4-0d
libnss3-1d
libsqlite3-0

(Note: I'm using AnyConnect version 2.2.0140)

This list of files that need symlinks in the /usr/local/firefox directory could probably be paired down if someone gets the time. I haven't got around to it yet.

[btmspox]

I downloaded the 32bit libraries from the deb's from:

http://packages.ubuntu.com/intrepid/...r4-0d/download
http://packages.ubuntu.com/intrepid/...s3-1d/download
http://packages.ubuntu.com/intrepid/...te3-0/download

# decompress

Code:

for deb in `ls *deb` ; do dpkg -x $deb /tmp/cisco ; done

# find and copy libraries

Code:

mkdir /usr/local/firefox
for lib in libnssutil3.so libplc4.so libplds4.so libnspr4.so libsqlite3.so libnssdbm3.so libfreebl3.so libnspr4.so.0d libnss3.so.1d libplc4.so.0d libsmime3.so.1d ; do find /tmp/cisco -name $lib -exec cp '{}' /usr/local/firefox \; ; done

Code:

/usr/local/firefox# file *
libfreebl3.so:   ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libnspr4.so:     ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libnspr4.so.0d:  ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libnss3.so.1d:   ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libnssdbm3.so:   ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libnssutil3.so:  ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libplc4.so:      ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libplc4.so.0d:   ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libplds4.so:     ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libsmime3.so.1d: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped

Installing and running 2.2.0140 produces the continual certificate error with an OK button that doesn't do anything, 2.3.0142 (BETA) produces a pop-up that allows you to hit accept but it keeps coming back.

Ubuntu Intrepid 8.10 amd64, recent install.

strace output attached.

[btmspox]

Also tried:

Code:

tar -xvjf firefox-3.0.4.tar.bz2 -C /usr/local
cd /opt/cisco/vpn/lib
for lib in libnssutil3.so libplc4.so libplds4.so libnspr4.so libsqlite3.so libnssdbm3.so libfreebl3.so ; do ln -s /usr/local/firefox/$lib $lib ; done
file -L *
libcrypto.so.0.9.8: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, not stripped
libfreebl3.so:      ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libnspr4.so:        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libnssdbm3.so:      ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libnssutil3.so:     ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libplc4.so:         ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libplds4.so:        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libsqlite3.so:      ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
libssl.so.0.9.8:    ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, not stripped

2.2.0140 produces the same certificate error. Debug.txt attached from this run.
This produces