Help

Cisco AnyConnect broken after update to Monterey 12.3

kinnetik
New Contributor II

Posted on ‎03-24-2022 12:14 AM

Hi everyone,

we are using Cisco AnyConnect with MFA for our VPN, this worked fine until the upgrade to Monterey 12.3

All the Users who upgraded now get this error "Authentication failed due to problem verifying server certificate."

I already opened a Call with Cisco but that didn't help a thing. With my basic Wireshark knowledge I found the error of Handshake failure (comparing 12.2.1 and 12.3. connection tries) 

Did Apple block or discontinue any Ciphers or anything ? Anyone else seen this Issue ?

Thanks for your input or ideas.

0 Kudos
Reply
14 REPLIES 14

vagabon
New Contributor III

Posted on ‎03-24-2022 04:10 AM

I'm on 12.3 and connecting fine (Cisco AnyConnect with MFA). What version of Cisco AnyConnect are you on? (I'm on 4.10.04071)

0 Kudos
Reply

kinnetik
New Contributor II

Posted on ‎03-24-2022 04:20 AM

We are using 4.10.05085

0 Kudos
Reply

obi-k
Valued Contributor III

Posted on ‎03-24-2022 04:22 AM

We are testing 12.3 with 4.10.04071 CiscoAny Connect with Smart Cards. No issues.

0 Kudos
Reply

kinnetik
New Contributor II

Posted on ‎03-24-2022 04:27 AM

Hi mvu,

SmartCard / Certificate on Dongle is no issue as well, its only the MFA which is troubling us. Unfortunately all Mac Users are using the MFA Gateway

0 Kudos
Reply

obi-k
Valued Contributor III

Posted on ‎03-24-2022 04:29 AM

Can you downgrade/test an earlier version?

0 Kudos
Reply

kinnetik
New Contributor II

‎03-24-2022 05:02 AM - edited ‎03-24-2022 05:03 AM

As I mentioned this behaviour is only seen after upgrading to 12.3, on 12.2.1. everything works normal with MFA.

But since there is no way to rollback the already upgraded Macs its not a solution.

0 Kudos
Reply

vagabon
New Contributor III

Posted on ‎03-24-2022 05:16 AM

I think what we are curious about is what happens if you try 4071 and 12.3. Are you able to try using 4071 version of AnyConnect?

0 Kudos
Reply

kinnetik
New Contributor II

Posted on ‎03-24-2022 05:30 AM

Ah, sorry my mistake. I just uninstalled 5085 and tried with 4071 after a reboot. Same issue.

I will try to talk to our VPN guys, looking more into the network trace I found out that 12.3 is only offering 22 Ciphersuites to the Gateway compared to 27 in 12.2.1 maybe they need to enable sth. 

Just strange that Cisco says they don't see anything in the gateway logs.

0 Kudos
Reply

obi-k
Valued Contributor III

Posted on ‎03-24-2022 05:38 AM

Do you have Apple Enterprise support? Maybe worth a ticket that way so they're aware of a possible 12.3 issue.

0 Kudos
Reply

kinnetik
New Contributor II

Posted on ‎03-25-2022 12:52 AM

Ok, it was a misconfiguration on the VPN Gateway, we now added one of the 22 Ciphers Apple is using and its working again.

0 Kudos
Reply

LakotaTo
New Contributor
In response to kinnetik

Posted on ‎05-13-2022 12:28 AM

Hello Kinnetik, plis can you share the solution?. I have been looking for a solution for days and have not found it yet. I am on OS 12.13.1 and AnyConnect client For mac 4.10.05095

0 Kudos
Reply

kinnetik
New Contributor II
In response to LakotaTo

‎05-13-2022 05:39 AM - edited ‎05-13-2022 05:40 AM

We had to add AES256-GCM-SHA384 to the allowed cipehers on the Cisco VPN Gateway, now its working again.

0 Kudos
Reply

LakotaTo
New Contributor
In response to kinnetik

Posted on ‎05-15-2022 11:09 PM

Please Kinnetik, can you tell me how you added it?

0 Kudos
Reply

dgeiler
Contributor

Posted on ‎05-05-2022 12:17 PM

We have downloaded the newest Version 4.10.05085 and is working fine. Have your network admin login and download it for you

0 Kudos
Reply