MX 16.9 breaks AnyConnect certificate

SOLVED
OVERKILL
Building a reputation

MX 16.9 breaks AnyConnect certificate

This was mentioned in the official release thread for 16.9 but I think it warrants its own thread. 

 

I upgraded two MX84's running 16.7 to 16.9 last night, both are now throwing certificate errors to the clients. 

 

This is what we were getting before the upgrade:

MX running 16.7 softwareMX running 16.7 software

 

And this is what both units are throwing this AM:

MX running 16.9 softwareMX running 16.9 software

 

I rolled-back the firmware upgrade on one of them about 10 minutes ago and it is still throwing the self-signed certificate error unfortunately, which means that once you perform the upgrade, you cannot un-break it. 

1 ACCEPTED SOLUTION
OVERKILL
Building a reputation

So, it seems the "solution" to this is to roll-back the firmware, then rename the device, wait until that takes (you can check by hitting the hostname with a browser until the new one works and it shows a valid SSL certificate that isn't self-signed) then changing it back to the previous hostname, which will then get another valid certificate. 

 

At this point, 16.9 breaks AnyConnect. 

View solution in original post

5 REPLIES 5
OVERKILL
Building a reputation

Adding to this, I enabled AnyConnect on a unit that normally doesn't have it running (my personal MX) that I also upgraded to 16.9 and the service doesn't seem to be coming up (it's been about 20 minutes). 

 

Checking the event log, I see no mention of AnyConnect starting, rather, I'm seeing these suppressed log message notifications:

 

Screen Shot 2021-07-15 at 9.22.38 AM.png

OVERKILL
Building a reputation

So, it seems the "solution" to this is to roll-back the firmware, then rename the device, wait until that takes (you can check by hitting the hostname with a browser until the new one works and it shows a valid SSL certificate that isn't self-signed) then changing it back to the previous hostname, which will then get another valid certificate. 

 

At this point, 16.9 breaks AnyConnect. 

OVERKILL
Building a reputation

Update:

 

With 16.10 out now, I checked the Release Notes to see what was still broken, it appears this is, along with the VPN performance hit that appeared in 16.4, so I guess I"m skipping this one. 

Screen Shot 2021-07-26 at 1.16.39 AM.png

MX 16.12 seems to be out. Did not see the cert issue in the release notes any more and the cert seems to get created correctly (had issue with 16.10, now gone after the upgrade). Seems to be issued by "HydrantID Server CA 01", no more self signed.

OVERKILL
Building a reputation

Yes, the issue was fixed in 16.11. 

 

Of note, 16.12 has some significant improvements, including VPN throughput that makes it a worthwhile upgrade.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels