Cisco AnyConnect – Hostscan is waiting for the next scan

Trying to get on a client’s VPN today via the Cisco AnyConnect VPN software presented a problem this morning. The process for connecting would freeze on “Hostscan is waiting for the next scan”. After some quick googling I found that the client (my laptop) was possibly attempting to send all of the personal SSL cerficiates the client currently has to the server for inspection(?).

Fiddler creates dozens of certificates when intercepting web traffic during debugging. Since Fiddler uses a man in the middle attack to intercept HTTPS traffic, it has to create certificates for each site you browse. After a few hours of developing (and having other browsers on your computer open), these certificates can clog up the pipe to the VPN server when the client tries to send all of them. Another possible reason is the Cisco VPN server isn’t liking the self signed certificates but doesn’t know how to fail gracefully.

Opening up certmgr.msc and clearing out all of the Certificates > Personal > Certificates allowed me to connect again.

Capture

This isn’t a perfect/permanent fix, but hopefully it’ll help!

23 thoughts on “Cisco AnyConnect – Hostscan is waiting for the next scan”

  1. This helped me. Thank you! But my question is why is it affecting all the personal certificates. Is there any specific certificates that is affecting this connection?

    1. Whenever you browse a website via HTTPS fiddler creates a man in the middle attack so the program can decipher the content of the connection for you. In order to do this it creates a self signed certificate that your browser connects to fiddler with, then fiddler creates the “real” HTTPS connection to the website. After going to dozens of websites the personal certificate store gets pretty big. I don’t know what was happening with Cisco specifically, but I think it was due to the large number of certificates the VPN was either trying to examine, verify, or upload to the server. I no longer use the software so I can’t be of much help beyond that though. I’m glad it helped you!

  2. there is a limit to how much ASA can accept a traffic from a single host which is roughly 100Kb of data. When there are more certificates on the client machine this value increases and hence hostscan fails.

    to fix this on ASA enter the below command

    service internal
    webvpn
    hostscan data-limit 300

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.