Yes, the issue was fixed in 16.11.    Of note, 16.12 has some significant improvements, including VPN throughput that makes it a worthwhile upgrade. ... View more

You lucked out, the certificate issue is a known bug with 16.9/16.10 per the release notes. Disabling it/re-enabling it did not help with my units.   ... View more

I had to roll the two I upgraded back to 16.7 because 16.9 broke the certificate.  ... View more

I had this issue on an MX84, or one that sounds the same where the clients could not authenticate and it would have to be restarted if I wanted to immediately resolve it, otherwise, it seemed to start working again on its own if I let it sit. It was only one of my MX84's that had this issue, but it happens to be the one with the most VPN clients. Touch-wood, the issue went away when I upgraded to 16.7 on that one. What release are you on?  ... View more

You are quite welcome.    May be worth reaching out to support to see what's going on, perhaps the certificate issue isn't the only thing messed up with AnyConnect in 16.9 and 16.10.  ... View more

Nope, it's still broken, please see the update in my thread.  ... View more

Yes, that is quite bizarre. This unit was also never enrolled in the closed beta either... Only thing I can think is that this has been on 16.x for quite a while, have you only just started running 16.x?  ... View more

That shot is from this MX64 with Advanced Security running 16.9: ... View more

Yeah, that's my situation, all my MX's that run AnyConnect are on 16.6 or 16.7 now from the roll-back, 16.8 didn't fix anything significant from what I can see over those two releases so I'll probably just leave them there until we get a release that's an improvement.  ... View more

Once you've installed a 16.x release and the unit has restarted, you should see AnyConnect as a heading under the Client VPN section:   ... View more

If you install 16.x it will work, the problem is that right now, 16.10 still has the broken certificate error, so you'd have to contact support to get 16.8 (which works properly).    I have an MX64 at home that AnyConnect can be enabled on (but I don't use it).  ... View more

Update:   With 16.10 out now, I checked the Release Notes to see what was still broken, it appears this is, along with the VPN performance hit that appeared in 16.4, so I guess I"m skipping this one.  ... View more

It is now, but I'm not sure it was when 16.9 was released.  ... View more

I performed what was indicated by @KarstenI on the MX I rolled back to 16.7 and it worked in terms of creating a valid certificate again.    I forwarded this thread to the guy I was speaking with on the ticket, but I haven't heard anything back yet, but at least the error is gone.  ... View more

OK thanks. I'll try that after hours on them if we don't get this resolved today.  ... View more

Have you tried this with 16.9? I ask because, as per the separate thread I made on this, I can't even get AnyConnect to come up or resolve on another MX I have that I upgraded. I feel this may be a bigger issue on the certificate issuing and hostname integration side of things. I've opened a ticket about it.  ... View more

Adding to this, I enabled AnyConnect on a unit that normally doesn't have it running (my personal MX) that I also upgraded to 16.9 and the service doesn't seem to be coming up (it's been about 20 minutes).    Checking the event log, I see no mention of AnyConnect starting, rather, I'm seeing these suppressed log message notifications:   ... View more

Just note that rolling back to 16.7 on one of the devices didn't fix the issue, it has a self-signed cert again.  ... View more

Yep, I upgraded two sites last night and now I'm getting this as well. @Bsalami may be able to get this resolved quickly I'm hoping.    My sites were running 16.6 and 16.7 respectively.    It appears it shifted from an an external CA-issued cert to a self-signed one.   This is what we get now: Unit running 16.9   This is from a unit running 16.7: Unit running 16.7 ... View more

This.    Under Security and SD-WAN -> Site-to-Site VPN -> VPN Settings -> Local Networks   Ensure that the networks you want accessible over the VPN are selected. ... View more

There was indeed just a single uplink to the MX84 at the time of the issue. I connected the 2960 to the MX84 on a separate port just to test, it made no difference. It would pass VLAN2 traffic on the switches that it wouldn't pass VLAN1 traffic on, which was the most interesting bit.    The MX84 has been running without issue for about a year.    I'm pulling the Cisco SB switch as they are changing software vendors. I'm putting in a stack of 2960's for the main LAN, VLAN2 will most likely stay on an HP but we'll see what port utilization looks like after the 3x 2960's are installed.    All the HPE switches are using 802.1D, not RSTP (802.1W).   I unfortunately don't have access to the configuration on the Cisco SB switch, since it was vendor provided. That's another reason I'm inclined to punt it once they are out of the picture.   ... View more

Yeah, I was on the on AnyConnect beta, so I'm familiar with the 16.x series, it's just amusing that the "stable" train had this issue, as it should be the most mature code.    I have two MX84's on 16.4 now. Had an interesting issue with cloud auth not working for a few hours (that self-rectified) on 16.3 at one site. Never experienced it elsewhere.    Bumping it to the 15.x series definitely sounds like a worthwhile endeavour. I'm going to take the opportunity to swap out the HP switches for a stack of 2960 ones, so will likely do the code bump at the same time.  ... View more

Yes, that's all it took, just restarting the MX84.  ... View more