Cisco AnyConnect broken after update to Monterey 12.3

kinnetik
New Contributor II

Hi everyone,

we are using Cisco AnyConnect with MFA for our VPN, this worked fine until the upgrade to Monterey 12.3

All the Users who upgraded now get this error "Authentication failed due to problem verifying server certificate."

I already opened a Call with Cisco but that didn't help a thing. With my basic Wireshark knowledge I found the error of Handshake failure (comparing 12.2.1 and 12.3. connection tries) 

Did Apple block or discontinue any Ciphers or anything ? Anyone else seen this Issue ?

Thanks for your input or ideas.

14 REPLIES 14

vagabon
New Contributor III

I'm on 12.3 and connecting fine (Cisco AnyConnect with MFA). What version of Cisco AnyConnect are you on? (I'm on 4.10.04071)

kinnetik
New Contributor II

We are using 4.10.05085

obi-k
Valued Contributor III

We are testing 12.3 with 4.10.04071 CiscoAny Connect with Smart Cards. No issues.

kinnetik
New Contributor II

Hi mvu,

SmartCard / Certificate on Dongle is no issue as well, its only the MFA which is troubling us. Unfortunately all Mac Users are using the MFA Gateway

obi-k
Valued Contributor III

Can you downgrade/test an earlier version?

kinnetik
New Contributor II

As I mentioned this behaviour is only seen after upgrading to 12.3, on 12.2.1. everything works normal with MFA.

But since there is no way to rollback the already upgraded Macs its not a solution.

vagabon
New Contributor III

I think what we are curious about is what happens if you try 4071 and 12.3. Are you able to try using 4071 version of AnyConnect?

kinnetik
New Contributor II

Ah, sorry my mistake. I just uninstalled 5085 and tried with 4071 after a reboot. Same issue.

I will try to talk to our VPN guys, looking more into the network trace I found out that 12.3 is only offering 22 Ciphersuites to the Gateway compared to 27 in 12.2.1 maybe they need to enable sth. 

Just strange that Cisco says they don't see anything in the gateway logs.

obi-k
Valued Contributor III

Do you have Apple Enterprise support? Maybe worth a ticket that way so they're aware of a possible 12.3 issue.

kinnetik
New Contributor II

Ok, it was a misconfiguration on the VPN Gateway, we now added one of the 22 Ciphers Apple is using and its working again.

Hello Kinnetik, plis can you share the solution?. I have been looking for a solution for days and have not found it yet. I am on OS 12.13.1 and AnyConnect client For mac 4.10.05095

kinnetik
New Contributor II

We had to add AES256-GCM-SHA384 to the allowed cipehers on the Cisco VPN Gateway, now its working again.

Please Kinnetik, can you tell me how you added it?

dgeiler
Contributor

We have downloaded the newest Version 4.10.05085 and is working fine. Have your network admin login and download it for you