by

Anyconnect Cannot Verify The Identity Of The Server



Last night I went to shut down my Windows 7 64-bit computer and agreed to the “Install updates and shut down” option. When my system came back up I noticed that I could no longer launch my Cisco AnyConnect VPN client from Internet Explorer – ActiveX was failing. Oh great.

IPhone “Cannot Verify Server Identity” and How To Fix It Not all technology is perfect, and, no matter the device, errors sometimes occur. In this case, your iPhone has come up with a message stating that it “cannot verify server identity.” Here is the true fix to this. Anyconnect cannot verify the identity of the server 'URL of login ' on iOS device only.

AnyConnect and ActiveX Killbits

Back in March 2012 a vulnerability was publicized for the Cisco AnyConnect ActiveX control. Cisco’s Security Advisory said:

The Cisco Clientless VPN solution as deployed by Cisco ASA 5500 Series Adaptive Security Appliances (Cisco ASA) uses an ActiveX control on client systems to perform port forwarding operations. Microsoft Windows-based systems that are running Internet Explorer or another browser that supports Microsoft ActiveX technology may be affected if the system has ever connected to a device that is running the Cisco Clientless VPN solution. A remote, unauthenticated attacker who could convince a user to connect to a malicious web page could exploit this issue to execute arbitrary code on the affected machine with the privileges of the web browser.

The affected ActiveX control is distributed to endpoint systems by Cisco ASA. However, the impact of successful exploitation of this vulnerability is to the endpoint system only and does not compromise Cisco ASA devices.

That’s not good, of course. The workarounds offered by Cisco were to either install an ASA software update or to make registry changes that disable the ActiveX control – that is, to set the kill bit for the control.

However, even if you had not taken either action, you would likely not have had any issue with the software because there was nothing to stop you continuing to run what you already had, and unless you manually set the killbit, the control would continue to function. Microsoft helpfully sent out an update though (KB2675157) that rolled up a number of security updates including ActiveX Killbits. This clearly caused some problems, as noted in the Spiceworks thread “Microsoft Update KB2675157 breaks Cisco AnyConnect VPN“.

Interestingly, I checked my system for that update and indeed it was installed in April:

Latest Windows Updates

I say interestingly, because this did not stop me running the AnyConnect VPN client via a web page, and in fact, it has worked just fine until today. This made me go check my Windows update history to see what was actually installed last night, and I found this:

KB2736233 is an “Update Rollup for ActiveX Kill Bits” and in the Microsoft Security Advisory, it says:

This update sets the kill bits for the following third-party software:

The
  • Cisco Secure Desktop. The following Class Identifier relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable. For more information regarding security issues in the Cisco Secure Desktop ActiveX control, please see the Cisco Security Advisory, Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Third-Party Kill Bits section of this advisory.
  • Cisco Hostscan. The following Class Identifier relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable. For more information regarding security issues in the Cisco Hostscan ActiveX control, please see the Cisco Security Advisory, Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Third-Party Kill Bits section of this advisory.
  • Cisco AnyConnect Secure Mobility Client. The following Class Identifier relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable. For more information regarding security issues in the Cisco AnyConnect Secure Mobility Client ActiveX control, please see the Cisco Security Advisory, Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Third-Party Kill Bits section of this advisory.

So this time, a very specific set of kill bits are set at Cisco’s request. Unfortunately (depending on your perspective), they have worked. The related Cisco Security Advisory (cisco-sa-20120620-ac) from June 20, was last updated September 7, 2012. Again, ASA software updates are the order of the day if you want to fix it.

Symptoms: It Doesn’t Work

I should clarify that the circumstances in which the AnyConnect client fails are triggered when you try to launch it from an IE web page. If you just run the client and have the profile already loaded, it works fine. However, as I swap between various client VPNs, I usually end up using the web login for each so that it populates the server details automatically, and when I try now I get this:

Groovy, right?

Solutions?

I guess getting the ASA owner to upgrade so I can use a newer client. As I mentioned, running the installed client directly is no problem – it’s just the ActiveX launcher that fails. Still, I thought I’d mention this as it’s something that will likely be hitting support desks all over the place…

Additional Links (Updated Sept 25, 2012)

A colleague at work mentioned that he had also had problems with AnyConnect under Windows 8, receiving a “The VPN Client Driver encoutered an error” message. There’s a great (and brief) write up of the problem – and the solution – over on ExhangeGeek.

Not all technology is perfect, and, no matter the device, errors sometimes occur. In this case, your iPhone has come up with a message stating that it “cannot verify server identity.” Here is the true fix to this type of error.

How To Fix Your iPhone When It Says “Cannot Verify Server Identity”

Reboot Your Phone

The first step is to simply reboot your phone. To do this, press and hold the phone’s power button until the phone instructs you to “slide to power off.” Swipe your finger across the screen and wait for your device to shut down. After around a minute, press and hold your power button once again. Eventually, the Apple logo will appear and your phone will restart.

Closing and Reopening the Mail App

If the simple reboot did not work, it may be an issue with the Mail app itself. A problem like this could occur if the Mail app crashed without you realizing it, which happens with many apps. To restart the Mail app, press the Home button twice in rapid succession. The App Switcher will appear. Use one of your fingers to swipe the Mail app up until it disappears. Now, reopen the Mail app and see if the problem has been solved.

Anyconnect Cannot Verify The Identity Of The Server

Delete Your Email Account and Re-Add It

Anyconnect Cannot Verify The Identity Of The Server

The next option is to delete the email account from the phone because the error could be caused by problematic factors with your email addresses’’ server identity certificates. This could potentially make it impossible for your phone to verify your email’s credentials and authenticity. With this said, please note that this method does not entirely delete the email account altogether. To do this, open your Settings app and press Accounts & Passwords. Look for the account that you would like to delete, tap it and press the red delete button. A confirmation box will open. When it does, tap the words Delete Account. Now, go back to the Accounts & Passwords screen and press Add Account. Select the mail service that you are using and enter in your login information.

Reset All of Your Phone’s Settings

If none of the aforementioned methods worked, you may just have to reset the entirety of the phone’s settings. In order to do this, go to your settings app, hit the General option, then press Reset. On the Reset page, you should see a Reset All Settings option. If your phone has a passcode, you must enter it in order to confirm the reset.

Anyconnect Cannot Verify The Identity Of The Server 2017

Done!

Untrusted Server Blocked Anyconnect

If you have completed all of the above methods, your phone should no longer state that it “cannot verify server identity.” Once the problem is solved, you should be able to freely receive emails from your email account while also being able to send emails to whomever you choose. The better news is that if this issue ever happens again, you will know exactly how to fix it. You may even be able to help one of your friends if they run into the issue, causing them to think you are a technological “genius” (pun intended).