- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MX 16.9 breaks AnyConnect certificate
This was mentioned in the official release thread for 16.9 but I think it warrants its own thread.
I upgraded two MX84's running 16.7 to 16.9 last night, both are now throwing certificate errors to the clients.
This is what we were getting before the upgrade:
And this is what both units are throwing this AM:
I rolled-back the firmware upgrade on one of them about 10 minutes ago and it is still throwing the self-signed certificate error unfortunately, which means that once you perform the upgrade, you cannot un-break it.
Solved! Go to solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, it seems the "solution" to this is to roll-back the firmware, then rename the device, wait until that takes (you can check by hitting the hostname with a browser until the new one works and it shows a valid SSL certificate that isn't self-signed) then changing it back to the previous hostname, which will then get another valid certificate.
At this point, 16.9 breaks AnyConnect.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Adding to this, I enabled AnyConnect on a unit that normally doesn't have it running (my personal MX) that I also upgraded to 16.9 and the service doesn't seem to be coming up (it's been about 20 minutes).
Checking the event log, I see no mention of AnyConnect starting, rather, I'm seeing these suppressed log message notifications:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, it seems the "solution" to this is to roll-back the firmware, then rename the device, wait until that takes (you can check by hitting the hostname with a browser until the new one works and it shows a valid SSL certificate that isn't self-signed) then changing it back to the previous hostname, which will then get another valid certificate.
At this point, 16.9 breaks AnyConnect.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update:
With 16.10 out now, I checked the Release Notes to see what was still broken, it appears this is, along with the VPN performance hit that appeared in 16.4, so I guess I"m skipping this one.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MX 16.12 seems to be out. Did not see the cert issue in the release notes any more and the cert seems to get created correctly (had issue with 16.10, now gone after the upgrade). Seems to be issued by "HydrantID Server CA 01", no more self signed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, the issue was fixed in 16.11.
Of note, 16.12 has some significant improvements, including VPN throughput that makes it a worthwhile upgrade.