MX Beta Firmware 16.9 AnyConnect Certificate Warning

mattalley
Getting noticed

MX Beta Firmware 16.9 AnyConnect Certificate Warning

My MX84 upgraded firmware yesterday to 16.9. We are now getting "Untrusted Server Blocked!" warning in AnyConnect.

 

I see that the certificate warning says "Certificate does not match the server name".

 

I have my AnyConnect profile set to allow users to uncheck the "Block connections to untrusted servers", but this is not an ideal experience.

 

Unfortunately I found in the 16.9 release notes that this was expected! 
"Due to a regression, MX appliances are not able to properly utilize dashboard auto-enrolled certificates for AnyConnect VPN connections. MX appliances will default to using a self-signed certificate, which will provide users connecting to the AnyConnect VPN service with a warning message about connecting to an untrusted server."

 

Is this expected to be resolved anytime in the near future? 

 

Should I rollback my firmware to 16.4?
I don't want to rollback, but it is not ideal to have to walk our staff through changing the setting and having to choose "Connect anyway" on the certificate error popup.

12 REPLIES 12
KarstenI
Kind of a big deal
Kind of a big deal

You should roll back to 16.8. The certificate gets regenerated after you change your dynamic DNS-hostname (to something new and then back to the original name).

*Never* educate your users to accept untrusted certificates or they will also do it when it can kill your company.

I agree with that.

 

But I when I look at the firmware upgrade it says I came from 16.4. And to be honest I don't remember if that was what I was on. I am not seeing an option to rollback to 16.8. 

 

Do you think I should still roll back?

mattalley
Getting noticed

Seems like there was another post about this:

https://community.meraki.com/t5/Security-SD-WAN/MX-16-9-breaks-AnyConnect-certificate/m-p/123901#M30...

 

"I rolled-back the firmware upgrade on one of them about 10 minutes ago and it is still throwing the self-signed certificate error unfortunately, which means that once you perform the upgrade, you cannot un-break it.

 

So, it seems the "solution" to this is to roll-back the firmware, then rename the device, wait until that takes (you can check by hitting the hostname with a browser until the new one works and it shows a valid SSL certificate that isn't self-signed) then changing it back to the previous hostname, which will then get another valid certificate.

 

At this point, 16.9 breaks AnyConnect."

 

What the heck Meraki!?

JohnT
Getting noticed

16.10 lists this as a known issue.

 

  • Due to a regression, MX appliances are not able to properly utilize dashboard auto-enrolled certificates for AnyConnect VPN connections. MX appliances will default to using a self-signed certificate, which will provide users connecting to the AnyConnect VPN service with a warning message about connecting to an untrusted server.

I'll double-check tomorrow, but I'm pretty sure that same bullet point is in the 16.10 release notes.

I think you are right, I missed that.  It looks like it was listed in 16.9 as a known issue.

OVERKILL
Building a reputation

It is now, but I'm not sure it was when 16.9 was released. 

mattalley
Getting noticed

I ended up rolling back to 16.4, as the dashboard only presented that to me as an option.

 

I rolled back and followed Overkill's procedure here: https://community.meraki.com/t5/Security-SD-WAN/MX-16-9-breaks-AnyConnect-certificate/m-p/123901#M30...

 

After that no more cert warning.

 

I have a ticket in with support to get us up to 16.8.

OVERKILL
Building a reputation

Yeah, that's my situation, all my MX's that run AnyConnect are on 16.6 or 16.7 now from the roll-back, 16.8 didn't fix anything significant from what I can see over those two releases so I'll probably just leave them there until we get a release that's an improvement. 

PhilipDAth
Kind of a big deal
Kind of a big deal

MX 16.10 just got released, and I'm hoping it will have the certificate fix in it.

OVERKILL
Building a reputation

Nope, it's still broken, please see the update in my thread. 

MX 16.12 seems to be out. Did not see the cert issue in the release notes any more and the cert seems to get created correctly (had issue with 16.10, now gone after the upgrade). Seems to be issued by "HydrantID Server CA 01", no more self signed.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels