Trying to get on a client’s VPN today via the Cisco AnyConnect VPN software presented a problem this morning. The process for connecting would freeze on “Hostscan is waiting for the next scan”. After some quick googling I found that the client (my laptop) was possibly attempting to send all of the personal SSL cerficiates the client currently has to the server for inspection(?).
Fiddler creates dozens of certificates when intercepting web traffic during debugging. Since Fiddler uses a man in the middle attack to intercept HTTPS traffic, it has to create certificates for each site you browse. After a few hours of developing (and having other browsers on your computer open), these certificates can clog up the pipe to the VPN server when the client tries to send all of them. Another possible reason is the Cisco VPN server isn’t liking the self signed certificates but doesn’t know how to fail gracefully.
Opening up certmgr.msc and clearing out all of the Certificates > Personal > Certificates allowed me to connect again.
This isn’t a perfect/permanent fix, but hopefully it’ll help!
28 thoughts on “Cisco AnyConnect – Hostscan is waiting for the next scan”
Thank you Matt, i followed the steps and the problem has now been resolved.
This is great… its very helpful. Finally issue resolved…..thanx buddy
Matt you are the best….. saved my life.
Saved my day ! Thank you
yes, it helps.
perfect – thanks!
Thanks!! Saved my connection which just started failing! Clearing allowed me to connect again!
Works, thanks for sharing.
Works for me thank you
Beautiful. I struggled 5-6 hours to resolve this issue and finally this tip really worked.. great,.. thank you !
Matt, thank you very much for sharing the knowledge!
Thanks Matt! Great experience to share..
Thanks, that also work on my mac
Remove certificates from keychain -> mycertificates
Thanks a lot!
Thank you!!! You saved my night
This helped me. Thank you! But my question is why is it affecting all the personal certificates. Is there any specific certificates that is affecting this connection?
Whenever you browse a website via HTTPS fiddler creates a man in the middle attack so the program can decipher the content of the connection for you. In order to do this it creates a self signed certificate that your browser connects to fiddler with, then fiddler creates the “real” HTTPS connection to the website. After going to dozens of websites the personal certificate store gets pretty big. I don’t know what was happening with Cisco specifically, but I think it was due to the large number of certificates the VPN was either trying to examine, verify, or upload to the server. I no longer use the software so I can’t be of much help beyond that though. I’m glad it helped you!
Thank you for post. I also had to delete certificates in Enterprise Trust folder.
Thank you! This helped me !!
there is a limit to how much ASA can accept a traffic from a single host which is roughly 100Kb of data. When there are more certificates on the client machine this value increases and hence hostscan fails.
to fix this on ASA enter the below command
hostscan data-limit 300
Awesome. It worked. Thank you so much
Thanks! Indeed, it worked after deleting certificates created by Fiddler!
And years later… this is the answer. Thanks for sharing!
I am facing the same issue. But I do not see any Fiddler certificate in my Personal Certificates. I have only one Certificate in that store….still I am struggling with this issue since today morning. Please help.
I’d check through other certificate stores and see if fiddler is in any of those.
I did manage to resolve it by uninstalling and reinstalling Symantec Endpoint Protection in my laptop. The virus definition files had gone corrupt and this in turn was blocking Hostscan. Struggled 4 days to finally identify and get this fixed…good lesson learnt….