If you're getting
"AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again."
and
"The certificate on the secure gateway is invalid. A VPN connection will not be established"
when you're using Cisco AnyConnect on Debian 12 and over, it's because of read permissions (you can confirm by running vpnui with gksu)). The solution is given here: Link
In brief, you'll need to edit /opt/cisco/anyconnect/AnyConnectLocalPolicy.xml and change
<BypassDownloader>false</BypassDownloader><ExcludeFirefoxNSSCertStore>false</ExcludeFirefoxNSSCertStore><ExcludePemFileCertStore>false</ExcludePemFileCertStore>
<ExcludeFirefoxNSSCertStore>true</ExcludeFirefoxNSSCertStore>