Cisco AnyConnect – Hostscan is waiting for the next scan

Trying to get on a client’s VPN today via the Cisco AnyConnect VPN software presented a problem this morning. The process for connecting would freeze on “Hostscan is waiting for the next scan”. After some quick googling I found that the client (my laptop) was possibly attempting to send all of the personal SSL cerficiates the client currently has to the server for inspection(?).

Fiddler creates dozens of certificates when intercepting web traffic during debugging. Since Fiddler uses a man in the middle attack to intercept HTTPS traffic, it has to create certificates for each site you browse. After a few hours of developing (and having other browsers on your computer open), these certificates can clog up the pipe to the VPN server when the client tries to send all of them. Another possible reason is the Cisco VPN server isn’t liking the self signed certificates but doesn’t know how to fail gracefully.

Opening up certmgr.msc and clearing out all of the Certificates > Personal > Certificates allowed me to connect again.


This isn’t a perfect/permanent fix, but hopefully it’ll help!

28 thoughts on “Cisco AnyConnect – Hostscan is waiting for the next scan”

  1. This helped me. Thank you! But my question is why is it affecting all the personal certificates. Is there any specific certificates that is affecting this connection?

    1. Whenever you browse a website via HTTPS fiddler creates a man in the middle attack so the program can decipher the content of the connection for you. In order to do this it creates a self signed certificate that your browser connects to fiddler with, then fiddler creates the “real” HTTPS connection to the website. After going to dozens of websites the personal certificate store gets pretty big. I don’t know what was happening with Cisco specifically, but I think it was due to the large number of certificates the VPN was either trying to examine, verify, or upload to the server. I no longer use the software so I can’t be of much help beyond that though. I’m glad it helped you!

  2. there is a limit to how much ASA can accept a traffic from a single host which is roughly 100Kb of data. When there are more certificates on the client machine this value increases and hence hostscan fails.

    to fix this on ASA enter the below command

    service internal
    hostscan data-limit 300

  3. Hi,

    I am facing the same issue. But I do not see any Fiddler certificate in my Personal Certificates. I have only one Certificate in that store….still I am struggling with this issue since today morning. Please help.

      1. Hi,

        I did manage to resolve it by uninstalling and reinstalling Symantec Endpoint Protection in my laptop. The virus definition files had gone corrupt and this in turn was blocking Hostscan. Struggled 4 days to finally identify and get this fixed…good lesson learnt….

Leave a Reply to Abdullah Ozcelik Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.