Cisco AnyConnect VPN client error "Certificate Validation Failure" in macOS Monterey

Hey everyone,

I’m interested in seeing if any other admins are experiencing consistent issues with Cisco AnyConnect in macOS Monterey whether it’s a Mac upgrading to macOS Monterey or a new Mac fresh out of the box and provisioned.

The “Certificate Validation Failure” is hitting our Mac community hard and is a growing issue for us. Certificates are deployed and placed in the System keychain via MDM w/ access to the required cert granted to the AnyConnect VPN client.

Everything else in our configuration can read and access keychain items without issue but AnyConnect appears to have a really hard time validating the certificate it needs.

When a user is hit with the cert validation error, they can “fix” it by running “security unlock-keychain” in Terminal and successfully activate VPN on the next attempt.

Is anyone else dealing with this in macOS Monterey as a consistent issue?

Idk about macs, but on Windows I used to resolve this issue by having the user remove old/incorrect certificates or click more choices and select the correct certificate to connect.

Like I said idk anything about macs, but maybe try clearing any old/non-applicable certs from the computer.

Does Anyconnect launch on boot? It could be that anyconnect is loading before keychain is fully up.

We use smartcards and I get this if my card isn’t in the reader before the application loads up.

Wanted to post an update on this issue. This was resolved by a correction to our smart card provisioning process.

For years, and by design, our smart card provisioning process was NOT filling smart card slot 9d with the KMK. This never posed an issue in earlier versions of macOS for us until macOS Monterey and later. After filling slot 9d with the KMK, we were no longer able to replicate the issue.

Interesting. I don’t have problems on my Mac.

I try to download the latest version before I upgrade macOS. And I usually wait a couple of weeks or months into a new major macOS release.

Do you know if it’s a validation failure of the client certificate or the server certificate?

This. You have delete previously expired certs. Also check if there’s an expired cert in your cert chain. Look at root CAs.

Thanks for getting to this. We have automation that clears expired/unnecessary certs from the keychains and also confirms the required certs are installed, trusted, and allows access for all services and applications.

Our Windows clients don’t have this issue, fortunately. We opened a service request with Cisco to identify the root cause. I suspect it’s an issue with the application in macOS Monterey.

Thanks for getting to this. AnyConnect launches on boot. This error can occur from a cold start, reboot, or waking from sleep.

We also use smartcards (USB-C Yubikey) and enforce smartcard auth so they stay connected to Macs.

Our install and config processes around AnyConnect have been the same for several years and have never required any adjustments minus the MDM profiles needed to approve the system extension which we confirm is in place and working.

We have an open service request with Cisco but we haven’t heard back from them in over a week. I suspect it’s an issue with the application in macOS Monterey since the same application version and configuration work in macOS Catalina and macOS Big Sur with no issues.