Meraki

Community

MX Beta Firmware 16.9 AnyConnect Certificate Warning

mattalley
Getting noticed
‎Jul 25 2021 9:12 AM
‎Jul 25 2021 9:12 AM

MX Beta Firmware 16.9 AnyConnect Certificate Warning

My MX84 upgraded firmware yesterday to 16.9. We are now getting "Untrusted Server Blocked!" warning in AnyConnect.

 

I see that the certificate warning says "Certificate does not match the server name".

 

I have my AnyConnect profile set to allow users to uncheck the "Block connections to untrusted servers", but this is not an ideal experience.

 

Unfortunately I found in the 16.9 release notes that this was expected! 
"Due to a regression, MX appliances are not able to properly utilize dashboard auto-enrolled certificates for AnyConnect VPN connections. MX appliances will default to using a self-signed certificate, which will provide users connecting to the AnyConnect VPN service with a warning message about connecting to an untrusted server."

 

Is this expected to be resolved anytime in the near future? 

 

Should I rollback my firmware to 16.4?
I don't want to rollback, but it is not ideal to have to walk our staff through changing the setting and having to choose "Connect anyway" on the certificate error popup.

0 Kudos
12 Replies 12
KarstenI
Kind of a big deal
Kind of a big deal
‎Jul 25 2021 10:07 AM
‎Jul 25 2021 10:07 AM

You should roll back to 16.8. The certificate gets regenerated after you change your dynamic DNS-hostname (to something new and then back to the original name).

*Never* educate your users to accept untrusted certificates or they will also do it when it can kill your company.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
mattalley
Getting noticed
‎Jul 25 2021 10:25 AM
‎Jul 25 2021 10:25 AM

I agree with that.

 

But I when I look at the firmware upgrade it says I came from 16.4. And to be honest I don't remember if that was what I was on. I am not seeing an option to rollback to 16.8. 

 

Do you think I should still roll back?

0 Kudos
mattalley
Getting noticed
‎Jul 25 2021 10:39 AM
‎Jul 25 2021 10:39 AM

Seems like there was another post about this:

https://community.meraki.com/t5/Security-SD-WAN/MX-16-9-breaks-AnyConnect-certificate/m-p/123901#M30...

 

"I rolled-back the firmware upgrade on one of them about 10 minutes ago and it is still throwing the self-signed certificate error unfortunately, which means that once you perform the upgrade, you cannot un-break it.

 

So, it seems the "solution" to this is to roll-back the firmware, then rename the device, wait until that takes (you can check by hitting the hostname with a browser until the new one works and it shows a valid SSL certificate that isn't self-signed) then changing it back to the previous hostname, which will then get another valid certificate.

 

At this point, 16.9 breaks AnyConnect."

 

What the heck Meraki!?

0 Kudos
JohnT
Getting noticed
‎Jul 25 2021 8:25 PM
‎Jul 25 2021 8:25 PM

16.10 lists this as a known issue.

 

  • Due to a regression, MX appliances are not able to properly utilize dashboard auto-enrolled certificates for AnyConnect VPN connections. MX appliances will default to using a self-signed certificate, which will provide users connecting to the AnyConnect VPN service with a warning message about connecting to an untrusted server.
In response to JohnT
mattalley
Getting noticed
‎Jul 25 2021 8:39 PM
‎Jul 25 2021 8:39 PM

I'll double-check tomorrow, but I'm pretty sure that same bullet point is in the 16.10 release notes.

0 Kudos
In response to mattalley
JohnT
Getting noticed
‎Jul 25 2021 8:56 PM
‎Jul 25 2021 8:56 PM

I think you are right, I missed that.  It looks like it was listed in 16.9 as a known issue.

0 Kudos
In response to mattalley
OVERKILL
Building a reputation
‎Jul 25 2021 10:19 PM
‎Jul 25 2021 10:19 PM

It is now, but I'm not sure it was when 16.9 was released. 

mattalley
Getting noticed
‎Jul 26 2021 7:02 AM
‎Jul 26 2021 7:02 AM

I ended up rolling back to 16.4, as the dashboard only presented that to me as an option.

 

I rolled back and followed Overkill's procedure here: https://community.meraki.com/t5/Security-SD-WAN/MX-16-9-breaks-AnyConnect-certificate/m-p/123901#M30...

 

After that no more cert warning.

 

I have a ticket in with support to get us up to 16.8.

In response to mattalley
OVERKILL
Building a reputation
‎Jul 26 2021 7:12 AM
‎Jul 26 2021 7:12 AM

Yeah, that's my situation, all my MX's that run AnyConnect are on 16.6 or 16.7 now from the roll-back, 16.8 didn't fix anything significant from what I can see over those two releases so I'll probably just leave them there until we get a release that's an improvement. 

0 Kudos
In response to OVERKILL
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 26 2021 1:58 PM
‎Jul 26 2021 1:58 PM

MX 16.10 just got released, and I'm hoping it will have the certificate fix in it.

0 Kudos
In response to PhilipDAth
OVERKILL
Building a reputation
‎Jul 26 2021 2:37 PM
‎Jul 26 2021 2:37 PM

Nope, it's still broken, please see the update in my thread. 

In response to OVERKILL
aviri
New here
‎Oct 13 2021 12:06 AM
‎Oct 13 2021 12:06 AM

MX 16.12 seems to be out. Did not see the cert issue in the release notes any more and the cert seems to get created correctly (had issue with 16.10, now gone after the upgrade). Seems to be issued by "HydrantID Server CA 01", no more self signed.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.