Preview Tool

Cisco Bug: CSCvv51561 - Customers fail to connect VPN after Aug 2020 Microsoft CA Root update

Last Modified

Oct 02, 2020

Products (1)

  • Cisco AnyConnect Secure Mobility Client

Known Affected Releases


Description (partial)

AnyConnect relies on Microsoft CAPI function to validate server trust. CAPI reports error trust status while building the chain of trust and AnyConnect handles the error by ending the VPN connection attempt. Revoked error trust status is a fail close situation for VPN connection attempt due to security concerns.


There is difference in behavior between AnyConnect versions regarding the point of failure.

   1. SSL connections from AnyConnect 4.9.00086, 4.9.01095 will fail before user entering credentials.
   2. SSL connections from AnyConnect 4.8.03052 or earlier will fail after user entering credentials.
   3. IPsec connections from any version of AnyConnect will fail before user entering credentials.

Problem occurs when the endpoints have the automatic update pushed by the Microsoft Certificate Trust Program in August 2020. Please refer to "This release will NotBefore the IP Security EKUs to the following roots:" section from the Microsoft release note ( ). Server identity certificates issued from any of the CA listed which are valid from August 1st 2020 could potentially have problems using AnyConnect.

NOTE: Microsoft confirmed that April 1st mentioned in the release note for NotBefore and Disable dates is a typo.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.