Anyconnect, Catalina, Posture, and the untrusted policy server

danielgrm
New Contributor III

We have a few macs in our environment that are currently upgraded to 10.15 Catalina. Ever since that moment Cisco Anyconnect no longer connects, it just says untrusted policy server. IT connects to the server, but then i get no network connections.

We have upgraded to the latest any connect client release, 4.8 which appears to be the supported version on Catalina. I also went ahead and made sure i had the proper whitelisted KTEXT profiles. There were a few hacks I tried that i found on google, but i am stumped. My network team doesn't know macs so i am a bit on my own. Has anyone run into this?

Thanks!

Dan

3 REPLIES 3

thoule
Valued Contributor II

Sounds like the 825 day cert rule. The Cab forum set new rules on certificates a year or two ago. They can have an expire date over 825 days from their issue date. Also requires SAN to contain the FQDN. https://www.ssl.com/blogs/ssl-certificate-maximum-duration-825-days/

Your certificate provider needs to issue a new cert for your AnyConnect server. Currently, macOS is the only platform to enforce these rules.

jwojda
Valued Contributor II

@danielgrm I have a similar problem, though not everybody does at my company. where do you see the error about the untrusted policy server so I can double check?

@thoule is there any way to view that cert expiration remotely?

danielgrm
New Contributor III

@thoule Talked with our network guys, its not set to expire early next year. I think that should be good. Though he is asking the team of they heard of this.

@jwojda I get the error as soon as I connect to VPN. It says untrusted policy server. Then I cannot connect to a thing. I was wondering if it was something from the previous installers, but I obliterated those. It also happens across all local profiles.