Meraki

Community

MX 16.9 breaks AnyConnect certificate

Solved
OVERKILL
Building a reputation
‎Jul 15 2021 6:05 AM
‎Jul 15 2021 6:05 AM

MX 16.9 breaks AnyConnect certificate

This was mentioned in the official release thread for 16.9 but I think it warrants its own thread. 

 

I upgraded two MX84's running 16.7 to 16.9 last night, both are now throwing certificate errors to the clients. 

 

This is what we were getting before the upgrade:

MX running 16.7 softwareMX running 16.7 software

 

And this is what both units are throwing this AM:

MX running 16.9 softwareMX running 16.9 software

 

I rolled-back the firmware upgrade on one of them about 10 minutes ago and it is still throwing the self-signed certificate error unfortunately, which means that once you perform the upgrade, you cannot un-break it. 

1 Accepted Solution
In response to OVERKILL
OVERKILL
Building a reputation
‎Jul 18 2021 8:54 PM
‎Jul 18 2021 8:54 PM

So, it seems the "solution" to this is to roll-back the firmware, then rename the device, wait until that takes (you can check by hitting the hostname with a browser until the new one works and it shows a valid SSL certificate that isn't self-signed) then changing it back to the previous hostname, which will then get another valid certificate. 

 

At this point, 16.9 breaks AnyConnect. 

View solution in original post

5 Replies 5
OVERKILL
Building a reputation
‎Jul 15 2021 6:24 AM
‎Jul 15 2021 6:24 AM

Adding to this, I enabled AnyConnect on a unit that normally doesn't have it running (my personal MX) that I also upgraded to 16.9 and the service doesn't seem to be coming up (it's been about 20 minutes). 

 

Checking the event log, I see no mention of AnyConnect starting, rather, I'm seeing these suppressed log message notifications:

 

Screen Shot 2021-07-15 at 9.22.38 AM.png

0 Kudos
In response to OVERKILL
OVERKILL
Building a reputation
‎Jul 18 2021 8:54 PM
‎Jul 18 2021 8:54 PM

So, it seems the "solution" to this is to roll-back the firmware, then rename the device, wait until that takes (you can check by hitting the hostname with a browser until the new one works and it shows a valid SSL certificate that isn't self-signed) then changing it back to the previous hostname, which will then get another valid certificate. 

 

At this point, 16.9 breaks AnyConnect. 

OVERKILL
Building a reputation
‎Jul 25 2021 10:22 PM
‎Jul 25 2021 10:22 PM

Update:

 

With 16.10 out now, I checked the Release Notes to see what was still broken, it appears this is, along with the VPN performance hit that appeared in 16.4, so I guess I"m skipping this one. 

Screen Shot 2021-07-26 at 1.16.39 AM.png

0 Kudos
In response to OVERKILL
aviri
New here
‎Oct 13 2021 12:05 AM
‎Oct 13 2021 12:05 AM

MX 16.12 seems to be out. Did not see the cert issue in the release notes any more and the cert seems to get created correctly (had issue with 16.10, now gone after the upgrade). Seems to be issued by "HydrantID Server CA 01", no more self signed.

0 Kudos
In response to aviri
OVERKILL
Building a reputation
‎Oct 13 2021 6:48 AM
‎Oct 13 2021 6:48 AM

Yes, the issue was fixed in 16.11. 

 

Of note, 16.12 has some significant improvements, including VPN throughput that makes it a worthwhile upgrade.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.