Getting the Cisco AnyConnect VPN Client to work on CentOS 6 x86_64

2012-02-14 UPDATE: I'm no longer using the RPM below. I'm now using an RPM I build from this spec file: https://github.com/pdurbin/anyconnect/blob/master/anyconnect.spec


tl;dr: Try this RPM: http://people.fas.harvard.edu/~pdurbin/RPMS/x86_64/anyconnect-symlinks-2.5-1.x86_64.rpm

I had a little trouble getting the Cisco AnyConnect VPN Client to work on the x86_64 version of CentOS 6. First, I extracted the tarball and ran the setup script:

[root@beamish tmp]# cat /etc/centos-release 
CentOS Linux release 6.0 (Final)
[root@beamish tmp]# tar xfz anyconnect-linux-2.5.2017-k9-64bit.tar.gz 
[root@beamish tmp]# cd ciscovpn
[root@beamish ciscovpn]# ./vpn_install.sh 
Installing Cisco AnyConnect VPN Client ...
Client Software License Agreement of Cisco Systems
(snip)
Do you accept the terms in the license agreement? [y/n] y
You have accepted the license agreement.
Please wait while Cisco Anyconnect VPN Client is being installed...
Starting the VPN agent...
Done!
[root@beamish ciscovpn]# 

Then I clicked "Applications" | "Internet" | "Cisco AnyConnect VPN Client" and tried to connect to the the VPN, but I got error "AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network."

Unsurprisingly, I got the same error from the command line:

[pdurbin@beamish ~]$ /opt/cisco/vpn/bin/vpn connect vpn.rc.fas.harvard.edu
Cisco AnyConnect VPN Client (version 2.5.2017) .

Copyright (c) 2004 - 2010 Cisco Systems, Inc.
All Rights Reserved.


  >> state: Disconnected
  >> notice: VPN Service is available.
  >> registered with local VPN subsystem.
  >> state: Disconnected
  >> notice: VPN Service is available.
VPN>   >> contacting host (vpn.rc.fas.harvard.edu) for login information...
  >> notice: Contacting vpn.rc.fas.harvard.edu.
  >> warning: Unable to process response from vpn.rc.fas.harvard.edu.
  >> error: AnyConnect cannot confirm it is connected to your secure gateway.  The local network may not be trustworthy.  Please try another network.
  >> state: Disconnected
VPN> [pdurbin@beamish ~]$ 
[pdurbin@beamish ~]$ 

In /var/log messages, I saw errors like this:

Sep 15 10:23:36 beamish vpncli[11858]: Function: setCatalog File: i18n/MsgCatalog.cpp Line: 427 Invoked Function: setCatalog Return Code: -33554423 (0xFE000009) Description: GLOBAL_ERROR_UNEXPECTED Message translation catalog <AnyConnect> not in use.
Sep 15 10:23:36 beamish vpncli[11858]: Function: ClientIfcBase File: ClientIfcBase.cpp Line: 142 Invoked Function: vpnapi Return Code: 0 (0x00000000) Description: vpnapi version 2.5.2017 () Initializing. 
Sep 15 10:23:36 beamish vpncli[11858]: Function: loadProfiles File: ProfileMgr.cpp Line: 107 No profile is available.
Sep 15 10:23:36 beamish vpncli[11858]: Available preferences updated due to secure gateway configuration.
Sep 15 10:23:36 beamish vpncli[11858]: Current Preference Settings: CertificateStoreOverride: false CertificateStore: All ShowPreConnectMessage: false AutoConnectOnStart: true MinimizeOnConnect: true LocalLanAccess: false AutoReconnect: true AutoUpdate: true ProxySettings: Native AllowLocalProxyConnections: true PPPExclusion: Disable PPPExclusionServerIP:  EnableScripting: false TerminateScriptOnNextEvent: false AuthenticationTimeout: 12 
Sep 15 10:23:36 beamish vpncli[11858]: Function: loadLibs File: Certificates/NSSCertUtils.cpp Line: 1348 Invoked Function: getNSSDllPath Return Code: -31391726 (0xFE210012) Description: CERTSTORE_ERROR_NSS_LIBRARIES_NOT_FOUND Unable to locate library libplc4.so
Sep 15 10:23:36 beamish vpncli[11858]: Function: CNSSCertUtils File: Certificates/NSSCertUtils.cpp Line: 281 Invoked Function: CNSSCertUtils::loadLibs Return Code: -31391726 (0xFE210012) Description: CERTSTORE_ERROR_NSS_LIBRARIES_NOT_FOUND 
Sep 15 10:23:36 beamish vpncli[11858]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 55 Invoked Function: CNSSCertUtils Return Code: -31391726 (0xFE210012) Description: CERTSTORE_ERROR_NSS_LIBRARIES_NOT_FOUND 
Sep 15 10:23:36 beamish vpncli[11858]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 999 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391726 (0xFE210012) Description: CERTSTORE_ERROR_NSS_LIBRARIES_NOT_FOUND 
Sep 15 10:23:36 beamish vpncli[11858]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391726 (0xFE210012) Description: CERTSTORE_ERROR_NSS_LIBRARIES_NOT_FOUND 
Sep 15 10:23:36 beamish vpncli[11858]: Function: OnNegotiateMessageTypesComplete File: ApiIpc.cpp Line: 538 Master Agent Connection started.
Sep 15 10:23:36 beamish vpncli[11858]: Function: setStateInfo File: VPNStatsBase.cpp Line: 339 Invoked Function: CStateTlv::GetMUSHostAddr Return Code: -32374768 (0xFE120010) Description: TLV_ERROR_NO_ATTRIBUTE 
Sep 15 10:23:36 beamish vpncli[11858]: Function: processState File: ApiIpc.cpp Line: 1418 VPN state: Disconnected Network state: Network Accessible Network control state: Available Network type: Undefined
Sep 15 10:23:36 beamish vpncli[11858]: Function: setState File: ClientIfcBase.cpp Line: 1232 Disconnected
Sep 15 10:23:36 beamish vpncli[11858]: Function: notice File: ClientIfcBase.cpp Line: 667 VPN Service is available.
Sep 15 10:23:36 beamish vpncli[11858]: Function: attach File: ClientIfcBase.cpp Line: 416 Client successfully attached.
Sep 15 10:23:36 beamish vpncli[11858]: Function: attach File: ClientIfcBase.cpp Line: 437 Event detection not implemented in client program.
Sep 15 10:23:36 beamish vpncli[11858]: Function: setState File: ClientIfcBase.cpp Line: 1232 Disconnected
Sep 15 10:23:36 beamish vpncli[11858]: Function: notice File: ClientIfcBase.cpp Line: 667 VPN Service is available.
Sep 15 10:23:36 beamish vpncli[11858]: Function: connect File: ClientIfcBase.cpp Line: 832 Connect requested
Sep 15 10:23:36 beamish vpncli[11858]: Function: getProfileNameFromHost File: ProfileMgr.cpp Line: 671 Invoked Function: getProfileNameFromHost Return Code: 0 (0x00000000) Description: No profile available for host vpn.rc.fas.harvard.edu. 
Sep 15 10:23:36 beamish vpncli[11858]: Function: getHostInitSettings File: ProfileMgr.cpp Line: 752 Profile () not found. Using default settings.
Sep 15 10:23:36 beamish vpncli[11858]: Function: notice File: ClientIfcBase.cpp Line: 698 Contacting vpn.rc.fas.harvard.edu.
Sep 15 10:23:36 beamish vpncli[11858]: Function: loadProfiles File: ProfileMgr.cpp Line: 107 No profile is available.
Sep 15 10:23:36 beamish vpncli[11858]: Function: getProfileNameFromHost File: ProfileMgr.cpp Line: 671 Invoked Function: getProfileNameFromHost Return Code: 0 (0x00000000) Description: No profile available for host vpn.rc.fas.harvard.edu. 
Sep 15 10:23:36 beamish vpncli[11858]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
Sep 15 10:23:36 beamish vpncli[11858]: Function: getProfileNameFromHost File: ProfileMgr.cpp Line: 671 Invoked Function: getProfileNameFromHost Return Code: 0 (0x00000000) Description: No profile available for host vpn.rc.fas.harvard.edu. 
Sep 15 10:23:36 beamish vpncli[11858]: Function: getHostInitSettings File: ProfileMgr.cpp Line: 752 Profile () not found. Using default settings.
Sep 15 10:23:36 beamish vpncli[11858]: Function: enumerateCert File: Certificates/FileCertStore.cpp Line: 162 Invoked Function: enumerateCert Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND The /home/pdurbin/.cisco/certificates/client/ directory was not found.
Sep 15 10:23:36 beamish vpncli[11858]: Function: Enumerate File: Certificates/FileCertStore.cpp Line: 123 Invoked Function: Enumerate Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND 
Sep 15 10:23:36 beamish vpncli[11858]: Function: enumerateCert File: Certificates/FileCertStore.cpp Line: 162 Invoked Function: enumerateCert Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND The /opt/.cisco/certificates/client/ directory was not found.
Sep 15 10:23:36 beamish vpncli[11858]: Function: Enumerate File: Certificates/FileCertStore.cpp Line: 123 Invoked Function: Enumerate Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND 
Sep 15 10:23:36 beamish vpncli[11858]: Function: getCertList File: ApiCert.cpp Line: 231 Invoked Function: ApiCert :: getCertList Return Code: 0 (0x00000000) Description: Number of certificates found: 0 
Sep 15 10:23:36 beamish vpncli[11858]: Function: initiateConnect File: ConnectMgr.cpp Line: 592 Initiating connection to: https://vpn.rc.fas.harvard.edu/
Sep 15 10:23:36 beamish vpncli[11858]: Function: getUserName File: CTransportCurlStatic.cpp Line: 1900 PasswordEntry username is pdurbin
Sep 15 10:23:36 beamish vpncli[11858]: Function: loadLibs File: Certificates/NSSCertUtils.cpp Line: 1348 Invoked Function: getNSSDllPath Return Code: -31391726 (0xFE210012) Description: CERTSTORE_ERROR_NSS_LIBRARIES_NOT_FOUND Unable to locate library libplc4.so
Sep 15 10:23:36 beamish vpncli[11858]: Function: CNSSCertUtils File: Certificates/NSSCertUtils.cpp Line: 281 Invoked Function: CNSSCertUtils::loadLibs Return Code: -31391726 (0xFE210012) Description: CERTSTORE_ERROR_NSS_LIBRARIES_NOT_FOUND 
Sep 15 10:23:36 beamish vpncli[11858]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 55 Invoked Function: CNSSCertUtils Return Code: -31391726 (0xFE210012) Description: CERTSTORE_ERROR_NSS_LIBRARIES_NOT_FOUND 
Sep 15 10:23:36 beamish vpncli[11858]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 999 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391726 (0xFE210012) Description: CERTSTORE_ERROR_NSS_LIBRARIES_NOT_FOUND 
Sep 15 10:23:36 beamish vpncli[11858]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391726 (0xFE210012) Description: CERTSTORE_ERROR_NSS_LIBRARIES_NOT_FOUND 
Sep 15 10:23:36 beamish vpncli[11858]: Function: enumerateCert File: Certificates/FileCertStore.cpp Line: 162 Invoked Function: enumerateCert Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND The /home/pdurbin/.cisco/certificates/ca/ directory was not found.
Sep 15 10:23:36 beamish vpncli[11858]: Function: Verify File: Certificates/FileCertificate.cpp Line: 347 Invoked Function: X509_verify_cert Return Code: 20 (0x00000014) Description: unknown unable to get local issuer certificate
Sep 15 10:23:36 beamish vpncli[11858]: Function: VerifyServerCertificate File: Certificates/FileCertStore.cpp Line: 654 Invoked Function: CFileCertificate::Verify Return Code: -31326191 (0xFE220011) Description: CERTIFICATE_ERROR_VERIFY_CHAIN_POLICY_FAILED 
Sep 15 10:23:36 beamish vpncli[11858]: Function: enumerateCert File: Certificates/FileCertStore.cpp Line: 162 Invoked Function: enumerateCert Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND The /opt/.cisco/certificates/ca/ directory was not found.
Sep 15 10:23:36 beamish vpncli[11858]: Function: Verify File: Certificates/FileCertificate.cpp Line: 347 Invoked Function: X509_verify_cert Return Code: 20 (0x00000014) Description: unknown unable to get local issuer certificate
Sep 15 10:23:36 beamish vpncli[11858]: Function: VerifyServerCertificate File: Certificates/FileCertStore.cpp Line: 654 Invoked Function: CFileCertificate::Verify Return Code: -31326191 (0xFE220011) Description: CERTIFICATE_ERROR_VERIFY_CHAIN_POLICY_FAILED 
Sep 15 10:23:36 beamish vpncli[11858]: Function: VerifyServerCertificate File: Certificates/CertHelper.cpp Line: 167 Invoked Function: CCertStore::VerifyServerCertificate Return Code: -31326191 (0xFE220011) Description: CERTIFICATE_ERROR_VERIFY_CHAIN_POLICY_FAILED 
Sep 15 10:23:36 beamish vpncli[11858]: Function: sendRequest File: ConnectIfc.cpp Line: 2623 Invoked Function: CTransport::SendRequest Return Code: -29949919 (0xFE370021) Description: CTRANSPORT_ERROR_PEER_CERT_REJECTED 
Sep 15 10:23:36 beamish vpncli[11858]: Function: connect File: ConnectIfc.cpp Line: 283 Invoked Function: ConnectIfc::sendRequest Return Code: -29949919 (0xFE370021) Description: CTRANSPORT_ERROR_PEER_CERT_REJECTED 
Sep 15 10:23:36 beamish vpncli[11858]: Function: TranslateStatusCode File: ConnectIfc.cpp Line: 2472 Invoked Function: TranslateStatusCode Return Code: -29949919 (0xFE370021) Description: CTRANSPORT_ERROR_PEER_CERT_REJECTED AnyConnect cannot confirm it is connected to your secure gateway.  The local network may not be trustworthy.  Please try another network.
Sep 15 10:23:36 beamish vpncli[11858]: Function: doConnectIfcConnect File: ConnectMgr.cpp Line: 1361 Invoked Function: ConnectIfc::connect Return Code: -29949919 (0xFE370021) Description: CTRANSPORT_ERROR_PEER_CERT_REJECTED 
Sep 15 10:23:36 beamish vpncli[11858]: Function: processIfcData File: ConnectMgr.cpp Line: 1634 Invoked Function: ConnectMgr :: processIfcData Return Code: -33554423 (0xFE000009) Description: GLOBAL_ERROR_UNEXPECTED Unrecognized content type (Unknown) received.
Sep 15 10:23:36 beamish vpncli[11858]: Function: notice File: ClientIfcBase.cpp Line: 698 Unable to process response from vpn.rc.fas.harvard.edu.
Sep 15 10:23:36 beamish vpncli[11858]: Function: processIfcData File: ConnectMgr.cpp Line: 1660 Unable to process response from vpn.rc.fas.harvard.edu. 
Sep 15 10:23:36 beamish vpncli[11858]: Function: notice File: ClientIfcBase.cpp Line: 667 AnyConnect cannot confirm it is connected to your secure gateway.  The local network may not be trustworthy.  Please try another network.
Sep 15 10:23:36 beamish vpncli[11858]: Function: connect File: ConnectMgr.cpp Line: 1402 ConnectMgr::processIfcData failed
Sep 15 10:23:36 beamish vpncli[11858]: Function: initiateConnect File: ConnectMgr.cpp Line: 597 Connection failed.
Sep 15 10:23:36 beamish vpncli[11858]: Function: setState File: ClientIfcBase.cpp Line: 1232 Disconnected
Sep 15 10:23:36 beamish vpncli[11858]: Function: connectRequest File: ConnectMgr.cpp Line: 522 Invoked Function: ConnectMgr::initiateConnect Return Code: -29556727 (0xFE3D0009) Description: CONNECTMGR_ERROR_UNEXPECTED 
Sep 15 10:23:36 beamish vpncli[11858]: Function: detach File: ClientIfcBase.cpp Line: 273 Invoked Function: vpnapi Return Code: 0 (0x00000000) Description: vpnapi shutdown. 
Sep 15 10:23:36 beamish vpnagent[11125]: Function: OnIpcMessageReceived File: IPC/IPCDepot.cpp Line: 828 Invoked Function: CIpcTransport::OnSocketReadComplete Return Code: -33292279 (0xFE040009) Description: IPCTRANSPORT_ERROR_UNEXPECTED 

According to the Release Notes for Cisco AnyConnect Secure Mobility Client, Release 2.5 "users receive the new message when the client cannot validate the certificate" from the Cisco Adaptive Security Appliance (ASA, i.e. the VPN appliance). (This "new" message replaces messages such as "Connection attempt has failed due to server certificate problem." and "Local policy prohibits the acceptance of untrusted server certificates. A VPN connection will not be established.")

The release notes list the following Linux requirements: "Firefox 2.0 or later with libnss3.so installed in /usr/local/lib, /usr/local/firefox/lib, or /usr/lib. Firefox must be installed in /usr/lib or /usr/local, or there must be a symbolic link in /usr/lib or /usr/local called firefox that points to the Firefox installation directory."

Blog posts at http://cuz.cx/lampshade/2010/01/running-cisco-anyconnect-on-64bit-fedora-12/ and http://puschitz.com/pblog/?p=39 helped me determine that creating the following symlinks allowed the the VPN to work:

[root@beamish ~]# mkdir /usr/local/firefox
[root@beamish ~]# cd /usr/local/firefox
[root@beamish firefox]# ln -s /usr/lib64/libnss3.so 
[root@beamish firefox]# ln -s /lib64/libplc4.so 
[root@beamish firefox]# ln -s /lib64/libnspr4.so 
[root@beamish firefox]# ln -s /usr/lib64/libsmime3.so 
[root@beamish firefox]# 

For convenience, I packaged these symlinks into an RPM. Here's how you can download the spec file and build the RPM.

[pdurbin@beamish ~]$ cd rpmbuild/SPECS
[pdurbin@beamish SPECS]$ wget -q http://people.fas.harvard.edu/~pdurbin/specs/anyconnect-symlinks.spec
[pdurbin@beamish SPECS]$ rpmbuild -ba anyconnect-symlinks.spec 
(snip)
Wrote: /home/pdurbin/rpmbuild/SRPMS/anyconnect-symlinks-2.5-1.src.rpm
Wrote: /home/pdurbin/rpmbuild/RPMS/x86_64/anyconnect-symlinks-2.5-1.x86_64.rpm

After installing the RPM, I can connect now connect to the VPN:

[root@beamish ~]# rpm -Uvh /home/pdurbin/rpmbuild/RPMS/x86_64/anyconnect-symlinks-2.5-1.x86_64.rpm

I can only assume this will work on RHEL 6 as well.


2011-10-20 Update: It has come to my attention that a newer version than anyconnect-linux-2.5.2017-k9-64bit.tar.gz is available to me (anyconnect-predeploy-linux-64-3.0.4235-k9.tar.gz as of this writing). I haven't had time to play with this yet, but hopefully it will mean I won't need the symlink hack described above anymore.

2011-11-05 Update: I installed anyconnect-predeploy-linux-64-3.0.4235-k9.tar.gz on a fresh install of CentOS 6 and it didn't "just work"; I had to use my symlinks RPM. I did successfully package that new installation into an RPM, however. The spec file is available at http://people.fas.harvard.edu/~pdurbin/SPECS/ciscovpn.spec but I can't distribute the source tarball it references because it's simply a tar'ing up of the proprietary %files section. But maybe the SPEC file will be useful to someone. I put the symlinks in it too.


Home | About | Contact | © 2012 Philip Durbin