Welcome Coronavirus work-from-home folks trying to get their Cisco AnyConnect VPN working! I wrote this article about a year and a half ago but have recently refreshed it.

If solution below still works for you, please leave a comment below. Thanks, and happy social distancing! :)

TL;DR

If you use Fiddler to watch network traffic on your computer, it creates personal certificates that interfere with Cisco AnyConnect VPN.

  • Inside Fiddler, choose Tools > Fiddler Options > HTTPS.
  • Click the certificate maker. Click "Clear server certificates on Exit.".

You may have to reboot to clear memory, but you should be able to use your VPN normally after that.

Backstory

I use Cisco AnyConnect to connect to a client's VPN. Lately, it started hanging with the status message "Hostscan is waiting for the next scan".

The logs show a loop that lasts a little over 10 minutes where it scans and starts over until it finally gives up.

9:42:46 AM Hostscan state idle
9:42:48 AM Hostscan is waiting for the next scan
9:43:50 AM Hostscan is performing system scan
9:43:51 AM Hostscan is performing software scan
9:43:58 AM Hostscan state idle
9:44:00 AM Hostscan is waiting for the next scan
9:45:03 AM Hostscan is performing system scan
9:45:04 AM Hostscan is performing software scan
9:45:19 AM Hostscan state idle
9:45:22 AM Hostscan is waiting for the next scan
9:46:24 AM Hostscan is performing system scan
9:46:24 AM Hostscan is performing software scan

I read something about removing personal certificates helping with this, but I only have a few personal certificates, and they are my machine name, localhost, local development, and something NVIDIA put on there.

data/admin/2018/12/image_thumb_46.png

Solution

But then I read something else about personal certificates in IE11.  Sure enough, under Tools (or the gear icon) > Internet Options > Content there is a button for Certificates.

data/admin/2018/12/image_thumb_47.png

After clicking that, I saw something very different from the machine certificates. They were there, plus some other certificates for local development, but there were HUNDREDS like *.somewebsite.com.

I sorted by the name, selected them, and removed them. Then I tried Cisco AnyConnect again, and it finally connected.

The wildcard certificates I saw in the IE11 Internet Options were created by Fiddler, which I use to watch network traffic and inspect web requests and responses. Fiddler acts as a proxy between your computer and your internet connection, and I guess it creates a personal wildcard certificate for every site you visit, or when Dropbox syncs, or your email does a send/receive, etc.

Since I must use Cisco AnyConnect for the VPN and I only use Fiddler sometimes, I removed the wildcard certificates and uninstalled Fiddler and I've been able to connect to the VPN reliably for a week now.