Cisco AnyConnect failed to establish connectivity

Abstract

Issue: Cisco AnyConnect failed to establish connectivity to VPN server due to hostscan state idel, TOKEN_INVALID, unable to init cert verification.
Root cause: unable to init cert verification due to Java certification validation (Java 1.8.0 121)

Solution:

You has following 6 actions to resume your vpn client of Cisco AnyConnect. Mostly you can resolve issue thru actions No. 4 and No. 5 due to java security validation issue.

1. “rm ~/.anyconnect”

2. regenerate the p12 certs from website of your company and import certs to your Mac. IBM
   Notice: Delete previous all IBM VPN Intermediate CA from your keychains.

3. Double click on the P12 download from website, d select Open to import it using the Keychain Access utility

4. Important: Delete all IBM Internal Root CA, IBM VPN Intermediate CA, Your private key from system chain, just leave these 3 in login chain
   

5. Login from Firefox https://(your vpn endpoint)/CACHE/stc/2/index.html (e.g. https://sasvpn01.cn.ibm.com/CACHE/stc/2/index.html) to validate your certs and java runtime has been setup successfully.

6. reinstall Cisco AnyConnect.
7. If below expired certs message prompt, add url to the exception as websites.
   

   Troubleshooting

1. Open Java Console from System Preference to enable debug,trace for expired certs.
2. Logging of cisco

   tail -f /var/log/system.log
   find ~/.cisco 
   tail -f ~/.cisco/hostscan/log/cscan.log 
   tail -f ~/.cisco/hostscan/log/libcsd.log 
   tail -f ~/.cisco/hostscan/log/cstub.log
   

3. Configuration of VPN client

   ~/.anyconnect