MX 16.9 breaks AnyConnect certificate

SOLVED
OVERKILL
Getting noticed

MX 16.9 breaks AnyConnect certificate

This was mentioned in the official release thread for 16.9 but I think it warrants its own thread. 

 

I upgraded two MX84's running 16.7 to 16.9 last night, both are now throwing certificate errors to the clients. 

 

This is what we were getting before the upgrade:

MX running 16.7 softwareMX running 16.7 software

 

And this is what both units are throwing this AM:

MX running 16.9 softwareMX running 16.9 software

 

I rolled-back the firmware upgrade on one of them about 10 minutes ago and it is still throwing the self-signed certificate error unfortunately, which means that once you perform the upgrade, you cannot un-break it. 

1 ACCEPTED SOLUTION

Accepted Solutions
OVERKILL
Getting noticed

Re: MX 16.9 breaks AnyConnect certificate

So, it seems the "solution" to this is to roll-back the firmware, then rename the device, wait until that takes (you can check by hitting the hostname with a browser until the new one works and it shows a valid SSL certificate that isn't self-signed) then changing it back to the previous hostname, which will then get another valid certificate. 

 

At this point, 16.9 breaks AnyConnect. 

View solution in original post

3 REPLIES 3
OVERKILL
Getting noticed

Re: MX 16.9 breaks AnyConnect certificate

Adding to this, I enabled AnyConnect on a unit that normally doesn't have it running (my personal MX) that I also upgraded to 16.9 and the service doesn't seem to be coming up (it's been about 20 minutes). 

 

Checking the event log, I see no mention of AnyConnect starting, rather, I'm seeing these suppressed log message notifications:

 

Screen Shot 2021-07-15 at 9.22.38 AM.png

OVERKILL
Getting noticed

Re: MX 16.9 breaks AnyConnect certificate

So, it seems the "solution" to this is to roll-back the firmware, then rename the device, wait until that takes (you can check by hitting the hostname with a browser until the new one works and it shows a valid SSL certificate that isn't self-signed) then changing it back to the previous hostname, which will then get another valid certificate. 

 

At this point, 16.9 breaks AnyConnect. 

View solution in original post

OVERKILL
Getting noticed

Re: MX 16.9 breaks AnyConnect certificate

Update:

 

With 16.10 out now, I checked the Release Notes to see what was still broken, it appears this is, along with the VPN performance hit that appeared in 16.4, so I guess I"m skipping this one. 

Screen Shot 2021-07-26 at 1.16.39 AM.png

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.