Anyconnect

Good morning, we are using Anyconnect (cisco-secure-client-linux64-5.0.05040) installed on Fedora 38 OS to connect to our company.
We use double authentication + AAA certificate,
Everything was working correctly until an update came out in Fedora (I don’t know what package since there were many) and we can no longer connect.
Getting the error messages:
The certificate on the secure gateway is invalid. A VPN connection will not be established.
We tried several solutions such as reinstalling the client and even the OS, but after updating the OS we can no longer get Anyconnect to work.

I share some of the logs obtained when trying to connect:

13:38:36 vpnui: Function: sendResponse File: ../../vpn/Api/ConnectMgr.cpp Line: 6600 ConnectMgr::processIfcData failed
13:38:36 vpnui: Function: sendResponse File: ../../vpn/Api/ConnectMgr.cpp Line: 6600 ConnectMgr::processIfcData failed
13:38:36 vpnui: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 4023 Invoked Function: ConnectMgr::initiateTunnel Return Code: -29556727 (0xFE3D0009) Description: CONNECTMGR_ERROR_UNEXPECTED
13:38:36 vpnui: Function: launchCachedDownloader File: ../../vpn/Api/ConnectMgr.cpp Line: 8632 Invoked Function: ConnectMgr::launchCachedDownloader Return Code: 3 (0x00000003) Description: Cached Downloader terminated abnormally
13:38:36 vpndownloader: Function: invokeRun File: ../../vpn/Common/Utility/Thread.cpp Line: 500 Invoked Function: IRunnable::Run Return Code: 3 (0x00000003) Description: unknown
13:38:36 vpndownloader-c: Function: invokeRun File: ../../vpn/Common/Utility/Thread.cpp Line: 500 Invoked Function: IRunnable::Run Return Code: 3 (0x00000003) Description: unknown
13:38:36 vpnagentd: Function: OnTunnelInitiateComplete File: ../../vpn/Agent/CstpProtocol.cpp Line: 1407 Invoked Function: OnTunnelInitiateComplete Return Code: -31588328 (0xFE1E0018) Description: SOCKETTRANSPORT_ERROR_TRANSPORT_TERMINATED:The socket transport's terminate connection function has been invoked. callback
13:38:36 vpnagentd: Termination reason code 16: Failed to fully establish a connection to the secure gateway (proxy authentication, handshake, bad cert, etc.).
13:38:36 vpnagentd: Termination reason code 59: Connection attempt failed due to certificate problems.
13:38:36 vpnagentd: Function: processInitiateTunnelComplete File: ../../vpn/Agent/VpnMgr.cpp Line: 6792 Invoked Function: Initiate Tunnel Status Code Return Code: -31391730 (0xFE21000E) Description: CERTIFICATE_ERROR_SIGN_VERIFY_FAILED
13:38:36 vpnagentd: Function: OnTunnelInitiateComplete File: ../../vpn/Agent/TlsTunnelMgr.cpp Line: 1375 Invoked Function: CTlsTunnelMgr::OnTunnelInitiateComplete Return Code: -31391730 (0xFE21000E) Description: CERTIFICATE_ERROR_SIGN_VERIFY_FAILED callback
13:38:36 vpnagentd: Function: OnTunnelInitiateComplete File: ../../vpn/Agent/TunnelStateMgr.cpp Line: 1274 Invoked Function: Initiate tunnel callback status Return Code: -31391730 (0xFE21000E) Description: CERTIFICATE_ERROR_SIGN_VERIFY_FAILED SSL tunnel state 0
13:38:36 vpnagentd: Function: OnTunnelInitiateComplete File: ../../vpn/Agent/CstpProtocol.cpp Line: 1407 Invoked Function: OnTunnelInitiateComplete Return Code: -31391730 (0xFE21000E) Description: CERTIFICATE_ERROR_SIGN_VERIFY_FAILED callback
13:38:36 vpnagentd: Function: OnSocketReadComplete File: ../../vpn/Agent/TlsProtocol.cpp Line: 688 Invoked Function: initialHandshake Return Code: -31391730 (0xFE21000E) Description: CERTIFICATE_ERROR_SIGN_VERIFY_FAILED
13:38:36 vpnagentd: Function: initialHandshake File: ../../vpn/Agent/TlsProtocol.cpp Line: 1006 Invoked Function: SSL_do_handshake Return Code: 337047686 (0x1416F086) Description: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
13:38:36 vpnagentd: A SSL Alert was sent by the client during a write operation.  Severity: fatal Description: certificate unknown
13:38:36 vpnagentd: Function: ServerCertVerifyCB File: ../../vpn/Agent/CertOpenSSLAdapter.cpp Line: 305 Invoked Function: CCertOpenSSLAdapter::verifyServerCertificate Return Code: -31391730 (0xFE21000E) Description: CERTIFICATE_ERROR_SIGN_VERIFY_FAILED
13:38:36 vpnagentd: Function: verifyServerCertificate File: ../../vpn/Agent/CertOpenSSLAdapter.cpp Line: 630 Invoked Function: CCertHelper::VerifyServerCertificate Return Code: -31391730 (0xFE21000E) Description: CERTIFICATE_ERROR_SIGN_VERIFY_FAILED
13:38:36 vpnagentd: Function: externalVerifyCertAsUser File: ../../vpn/Agent/CertOpenSSLAdapter.cpp Line: 464 Invoked Function: ProcessApi::WaitForProcess Return Code: -30736339 (0xFE2B002D) Description: PROCESS_API_ERROR_WAIT_TIMEOUT Failure in waiting for verify_certs, pid: 15362
13:38:36 systemd-coredum: Process 15362 (vpnagentd) of user 1000 dumped core.

Module libpcsclite.so.1 from rpm pcsc-lite-1.9.9-3.fc38.x86_64
Module libcrypto.so.3 from rpm openssl-3.0.9-2.fc38.x86_64
Module libopensc.so.8 from rpm opensc-0.23.0-5.fc38.x86_64
Module opensc-pkcs11.so from rpm opensc-0.23.0-5.fc38.x86_64
Module p11-kit-proxy.so from rpm p11-kit-0.25.0-1.fc38.x86_64
Module libtasn1.so.6 from rpm libtasn1-4.19.0-2.fc38.x86_64
Module libnssckbi.so from rpm p11-kit-0.25.0-1.fc38.x86_64
Module libnss_systemd.so.2 from rpm systemd-253.10-1.fc38.x86_64
Module libnss_sss.so.2 from rpm sssd-2.9.1-1.fc38.x86_64
Module libnspr4.so from rpm nss-3.93.0-1.fc38.x86_64
Module libplds4.so from rpm nss-3.93.0-1.fc38.x86_64
Module libplc4.so from rpm nss-3.93.0-1.fc38.x86_64
Module libblkid.so.1 from rpm util-linux-2.38.1-4.fc38.x86_64
Module liblz4.so.1 from rpm lz4-1.9.4-2.fc38.x86_64
Module libzstd.so.1 from rpm zstd-1.5.5-1.fc38.x86_64
Module libcap.so.2 from rpm libcap-2.48-6.fc38.x86_64
Module libpcre2-8.so.0 from rpm pcre2-10.42-1.fc38.1.x86_64
Module libffi.so.8 from rpm libffi-3.4.4-2.fc38.x86_64
Module libselinux.so.1 from rpm libselinux-3.5-1.fc38.x86_64
Module libmount.so.1 from rpm util-linux-2.38.1-4.fc38.x86_64
Module libgmodule-2.0.so.0 from rpm glib2-2.76.5-2.fc38.x86_64
Module liblzma.so.5 from rpm xz-5.4.1-1.fc38.x86_64
Module libsystemd.so.0 from rpm systemd-253.10-1.fc38.x86_64
Module libglib-2.0.so.0 from rpm glib2-2.76.5-2.fc38.x86_64
Module libgobject-2.0.so.0 from rpm glib2-2.76.5-2.fc38.x86_64
Module libgio-2.0.so.0 from rpm glib2-2.76.5-2.fc38.x86_64
Module libz.so.1 from rpm zlib-1.2.13-3.fc38.x86_64
Module libxml2.so.2 from rpm libxml2-2.10.4-1.fc38.x86_64
Stack trace of thread 15362:
#0  0x00007f762b71422a SECMOD_UnloadModule (libnss3.so + 0x4e22a)
#1  0x00007f762b72fc80 SECMOD_SlotDestroyModule (libnss3.so + 0x69c80)
#2  0x00007f762b7300bf SECMOD_DestroyModuleListElement (libnss3.so + 0x6a0bf)
#3  0x00007f762b730535 SECMOD_DestroyModuleList (libnss3.so + 0x6a535)
#4  0x00007f762b7305bd SECMOD_Shutdown (libnss3.so + 0x6a5bd)
#5  0x00007f762b6e5421 nss_Shutdown (libnss3.so + 0x1f421)
#6  0x00007f762b6e5520 NSS_Shutdown (libnss3.so + 0x1f520)
#7  0x00007f762d87b019 _ZN13CNSSCertUtilsD2Ev (libvpncommoncrypt.so + 0x7b019)
#8  0x00007f762be61c3d __cxa_finalize (libc.so.6 + 0x3fc3d)
#9  0x00007f762d823063 n/a (libvpncommoncrypt.so + 0x23063)
#10 0x00007f762e12f0f2 _dl_call_fini (ld-linux-x86-64.so.2 + 0x10f2)
#11 0x00007f762e132e0e _dl_fini (ld-linux-x86-64.so.2 + 0x4e0e)
#12 0x00007f762be621e6 __run_exit_handlers (libc.so.6 + 0x401e6)
#13 0x00007f762be6232e exit (libc.so.6 + 0x4032e)
#14 0x0000556b5822e101 n/a (vpnagentd + 0x2e101)
#15 0x00007f762be49b8a __libc_start_call_main (libc.so.6 + 0x27b8a)
#16 0x00007f762be49c4b __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x27c4b)
#17 0x0000556b5822e2a8 n/a (vpnagentd + 0x2e2a8)
ELF object binary architecture: AMD x86-64

13:38:35 vpnagentd: Function: SetAggAuthCertificateInfo File: ../../vpn/AgentUtilities/vpnparam.cpp Line: 1160 Invoked Function: CCertificateInfoTlv::Assign Return Code: -21889013 (0xFEB2000B) Description: CERTIFICATEINFO_ERROR_NO_DATA:No certificate data was found
13:38:26 dleyna-renderer: Connector 'dbus' not found

This has already been reported in Bugzilla:

We have a build with a candidate fix:

You could try the update and report if it fixes the issue for you, but there are concerns that it introduces a regression (see the Bodhi update for some discussion).

3 Likes

Thank you very much for all the information provided!!
Try updating with glibc-2.37-6.fc38 (https://bodhi.fedoraproject.org/updates/FEDORA-2023-7f0a294b1a) and it works wonderfully.
Thanks for helping

Another problem I experience is that when I disconnect from the VPN using Anyconnect I am left without DNS.
Sorry, maybe the topic has already been discussed.

Is this a recent change, too, or has it always been like this?

It has always been like this.
When I connect the VPN it gives me the corporate DNS, and when I disconnect I am left without name resolution.
Connected:

[asalerno@172-15-1-227 ~]$ cat /etc/resolv.conf
domain consejo.local
nameserver 192.168.200.20
nameserver 192.168.200.21
nameserver 127.0.0.53
search consejo.local .
[asalerno@172-15-1-227 ~]$

Disconnected:
[asalerno@172-15-1-227 ~]$ cat /etc/resolv.conf

nameserver 127.0.0.53
options edns0 trust-ad
search .
[asalerno@172-15-1-227 ~]$

I end up restarting the OS to solve it.

Is could be that annyconnect is breaking your configuration (as expected from cisco). You should have

ls -l  /etc/resolv.conf
... /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

with or without vpn because that is a stub file, and all things DNS are handled by resolved, in particular split DNS etc. And this does work with openconnect and a cisco end-point. I just don’t know whether your auth is supported by openconnect. It’s worth giving a try because it is much better integrated into the ecosystem.

1 Like

Dear, try the proposed solution looking like this:
ls -l /etc/resolv.conf
lrwxrwxrwx. 1 root root 37 sep 21 10:25 /etc/resolv.conf → /run/systemd/resolve/stub-resolv.conf
The problem continues and the behavior seems to be the same.
Regarding trying to use openconnect, it is not possible for me since it does not support the authentication proposed by the company.
when I want to use openconnect I get the following error:
“xml response has no auth node openconnect”

Thank you very much.
Faced the same problem on Fedora 38 (WS) / Gnome 44.5 / anyconnect-linux64-4.10.06090. “The certificate on the secure gateway is invalid. A VPN connection will not be established.”
I used the fix glibc-2.37-6.fc38 https://bodhi.fedoraproject.org/updates/FEDORA-2023-7f0a294b1a.
Everything works great. :handshake:

I’ve solved with a NetworkManager dispatcher script:

$ cat /etc/NetworkManager/dispatcher.d/10-vpn-xxxx-down
#!/bin/bash

IF=$1
ACTION=$2

if [ "$IF" = "cscotun0" -a "$ACTION" = "down" ]
then
  logger -t nm-dispatcher "${CONNECTION_ID} ${ACTION}"
  systemctl restart systemd-resolved.service
fi

it’s a hack, but it works :wink:

1 Like

Thank you very much, I copied the proposed solution and it worked for me.
Greetings

I find the same problem on FC37 after an update a few days ago. Is there an errata fix for FC37?

Thanks.

uname -a
Linux … 6.5.5-100.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Sep 23 22:53:27 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

rpm -qa | grep glibc
glibc-all-langpacks-2.36-12.fc37.x86_64
glibc-common-2.36-12.fc37.x86_64
glibc-gconv-extra-2.36-12.fc37.x86_64
glibc-langpack-en-2.36-12.fc37.x86_64
glibc-2.36-12.fc37.x86_64
glibc-headers-x86-2.36-12.fc37.noarch
glibc-devel-2.36-12.fc37.x86_64

Just type sudo systemctl restart systemd-resolved after closing VPN connection in AnyConnect.
The problem is that AnyConnect replaces /etc/rersolv.conf softlink to /run/systemd/resolve/stub-resolv.conf with the file it generates from the current /etc/rersolv.conf softlink (and keeps writing the same content into this file every few milliseconds). If you did not set any global parameters in /etc/systemd/resolved.conf, the content of the created /etc/rersolv.conf file will be used to update “Global” configuration section of the systemd-resolved . The only way to clear that Global section is a restart of systemd-resolved .
Another serious issue is if you did not setup your local domain in your router of NM configuration the /run/systemd/resolve/stub-resolv.conf will contain search . line and, as a result, AnyConnect appends ~. to its generated search path (in “split” connection, “full” is Ok). Result is that only hosts from your corporate “search domain list” can be resolved and you will be getting “recursion” error for all other host names.
I had to write a vpn_post_cconnect.sh which moves AnyConnect added configuration from the Global section and to its network device and removes bothe local domain and ~. form its search path. My post VPN connection now looks like this

$ resolvectl status
Global
         Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: foreign

Link 2 (enp6s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 2600:4040:5b4c:7800::1
       DNS Servers: 192.168.1.1 2600:4040:5b4c:7800::1
        DNS Domain: sipan.lan
...
Link 10 (cscotun0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 172.27.48.18
       DNS Servers: 172.27.48.18 192.168.141.2
        DNS Domain: corp.vaisala.com extdom.vaisala.com vaisala.com

upgrading to glibc-2.37-6.fc38 fixed this problem, but current glibc is 2.37-10 and this “The certificate on the secure gateway is invalid. …” is back.
If you ended up with 2.37-10 the only option is to downgrade to 2.37-1 , because all other versions are removed from F38 repos.

I’m in a similar boat – I have this problem with the current version of glibc, but downgrading to 2.37-1 solves the issue.

1 Like

Thanks Cody

sudo dnf install glibc-2.37-1.fc38
1 Like

Huge thanks @collinjc for advice. All works.

A better way to make AnyConnect work and still have the updated glibc with the vulnerability fixes is to do this:

Become root and edit /opt/cisco/secureclient/AnyConnectLocalPolicy.xml

Change the line with ExcludeFirefoxNSSCertStore from false to true

1 Like

Thanks @mvi57 It works!!!

For KDE Fedora 38 the path is /opt/cisco/anyconnect