Hello In the past I could successfully connect with the pfx certificate to the ASA server with openconnect. But last couple of weeks this doesn't work anymore. It seems connection is established, but at the end, it just throw out the login entry (more details in the attachment). I'm using the latest github version of openconnect (as from today), with "openconnect -v -c cert.pfx 1.2.3.4 --os=win -printcookie --dump-http-traffic", but the same result occurred also with the older version. At the same time I can normally connect with Anyconnect client from windows machine, from where the certificate with it's private key was exported and used with openconnect. Is it possible to say what is causing this based on the attached log or is there some check on the ASA side (to which of course I don't have access to) ? Thank you -------------- next part -------------- openconnect -v -c cert.pfx 1.2.3.4 --os=win -printcookie --dump-http-traffic POST https://1.2.3.4/ Attempting to connect to server 1.2.3.4:443 Connected to 1.2.3.4:443 Using certificate file cert.pfx Failed to decrypt PKCS#12 certificate file Enter PKCS#12 pass phrase: Using client certificate '/DC=com/DC=XXXg/DC=corp/DC=XXX/OU=Corporate Workplaces/OU=Desktops and Notebooks/OU=XX/OU=XXXXXXX' SSL negotiation with 1.2.3.4 Server certificate verify failed: unable to get local issuer certificate Certificate from VPN server "1.2.3.4" failed verification. Reason: unable to get local issuer certificate To trust this server in future, perhaps add this to your command line: --servercert YYY Enter 'yes' to accept, 'no' to abort; anything else to view: yes Connected to HTTPS on 1.2.3.4 > POST / HTTP/1.1 > Host: 1.2.3.4 > User-Agent: Open AnyConnect VPN Agent v7.08-47-g2d77040 > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > X-Aggregate-Auth: 1 > X-AnyConnect-Platform: win > X-Support-HTTP-Auth: true > X-Pad: 0000000000000000000000000000000000000000000 > Content-Type: application/x-www-form-urlencoded > Content-Length: 213 > > <?xml version="1.0" encoding="UTF-8"?> > <config-auth client="vpn" type="init"><version who="vpn">v7.08-47-g2d77040</version><device-id>win</device-id><group-access>https://1.2.3.4</group-access></config-auth> Got HTTP response: HTTP/1.0 302 Object Moved Content-Type: text/html; charset=utf-8 Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Fri, 01 Dec 2017 11:24:40 GMT X-Frame-Options: SAMEORIGIN Location: /+webvpn+/index.html Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure HTTP body length: (0) GET https://1.2.3.4/ Attempting to connect to server 1.2.3.4:443 Connected to 1.2.3.4:443 SSL negotiation with 1.2.3.4 Server certificate verify failed: unable to get local issuer certificate Connected to HTTPS on 1.2.3.4 > GET / HTTP/1.1 > Host: 1.2.3.4 > User-Agent: Open AnyConnect VPN Agent v7.08-47-g2d77040 > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > X-Support-HTTP-Auth: true > Got HTTP response: HTTP/1.0 302 Object Moved Content-Type: text/html; charset=utf-8 Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Fri, 01 Dec 2017 11:24:40 GMT X-Frame-Options: SAMEORIGIN Location: /+webvpn+/index.html Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure HTTP body length: (0) GET https://1.2.3.4/+webvpn+/index.html SSL negotiation with 1.2.3.4 Server certificate verify failed: unable to get local issuer certificate Connected to HTTPS on 1.2.3.4 > GET /+webvpn+/index.html HTTP/1.1 > Host: 1.2.3.4 > User-Agent: Open AnyConnect VPN Agent v7.08-47-g2d77040 > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > X-Support-HTTP-Auth: true > Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnlogin=1; secure X-Frame-Options: SAMEORIGIN X-Transcend-Version: 1 HTTP body chunked (-2) < <?xml version="1.0" encoding="UTF-8"?> < <auth id="main"> < <title>SSL VPN Service</title> < <ca status="disabled" href="/+CSCOCA+/login.html" /> < < < < <banner></banner> < <message>Please enter your username and password.</message> < < < <form method="post" action="/+webvpn+/index.html"> < < <input type="text" name="username" label="Username:" /> < <input type="password" name="password" label="Password:" /> < < < <select name="group_list" label="GROUP:"> < <option value="ldzAnyConnect" noaaa="0" auth-type="sdi-via-proxy" override-name="password" override-label="PASSCODE:" >XXX</option><option value="YYY" noaaa="1" >YYY</option></select> < < <input type="submit" name="Login" value="Login" /> < <input type="reset" name="Clear" value="Clear" /> < < < </form> < </auth> < Please enter your username and password. GROUP: [XXX|YYY]: