Sudden untrusted server blocked error message with AnyConnect clients

SOLVED
lmorel
Getting noticed

Sudden untrusted server blocked error message with AnyConnect clients

Hello everyone!

 

Two of my users just reported they get the following error message when using AnyConnect and connecting using the default appliance hostname as we have done for over a year now without issues. What could create this? Meraki cloud issue and/or certificate issue on Meraki's side?

 

Running MX 16.16 on MX250.

 

lmorel_0-1671038870296.png

 

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal

Some things you could try:

  • Make sure you run the current stable firmware (or newer).  I recall there was a certificate renewal bug in the past.
  • Try turning AnyConnect off and then back on again (on the MX) to try and trigger a certificate renewal.

 

After doing the above, wait 10 minutes.  If the issue is still happening open a support case and get them to trigger a certificate renewal.

View solution in original post

8 REPLIES 8
alemabrahao
Kind of a big deal

Click on Change settings on Anyconnect to allow untrusted server.

lmorel
Getting noticed

I apologize, I should have mentioned we did this already. I'm more worried about certificate and/or DNS issues. We use SAML as well for AnyConnect authentication.

alemabrahao
Kind of a big deal

I'm pretty sure if you disable it the message will no longer show up. Try with just the IP address.

Thank you for the tip! Meraki Certificate for that appliance is expired so it won't work, even if I use the IP. I suspect SAML authentication and possibly other things break at that point.

PhilipDAth
Kind of a big deal

Some things you could try:

  • Make sure you run the current stable firmware (or newer).  I recall there was a certificate renewal bug in the past.
  • Try turning AnyConnect off and then back on again (on the MX) to try and trigger a certificate renewal.

 

After doing the above, wait 10 minutes.  If the issue is still happening open a support case and get them to trigger a certificate renewal.

Thank you Phil! I created a case by calling them. Was an hour on the phone and agent was trying to figure out if certificate was expired. He also escalated the issue internally. He asked me to upgrade tonight to latest firmware to force the certificate recreation. 

I also used my AnyConnect android app to clearly show me the details on when the certificate expired (last night) and was not automatically renewed. I asked them via email to see if they can generate a new/valid certificate before tonight, I cannot work on that MX until late tonight or users will come out with pitchforks and torches.

Thank you Philip! I turned off AnyConnect then waited 30min or so (busy with something else) then turned it back on. Fixed it. 

 

I rebooted the MX first with 16.16 firmware. Didn't fix it (certificate was still expired). I did not upgrade firmware to latest either. I also asked if support could manually renew certificate and they said no (or didn't want to). 

PhilipDAth
Kind of a big deal

Support can trigger a certificate renewal - but it is a rare thing to do, so they probably just hadn't done it before.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels