Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1879
Views
10
Helpful
6
Replies

Cisco ASA Public CA certificate issue with anyconnect client

Go to solution
JonMoss92624
Level 1
Level 1

‎09-17-2020 12:49 AM

Hi all, got an issue that i'm struggling to get to grips with.  I installed a wildcard certificate onto our ASA 5525X firewalls and this certificate is being used for both SSL and IPsec IKEv2 

 

My problem is it works fine if i browse to the ASA (clientless), but it throws the untrusted server blocked warning when using the anyconnect 4.9.01095 client

 

This is a new build environment

 

I appreciate more info will be needed from myself in order to get started t-shooting this, but i'm putting this up as a starter for ten.  Any thoughts / feedback welcome

 

thanks


Jon

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-17-2020 04:31 AM

I can see your connection to an IPSec VPN and a TLS handshake to the public IP address of the ASA - I can see 1 DNS query/response, querying the IP address NOT the fqdn of the ASA.

 

What domain name are you connecting to when it works? Can you double check you are connecting using the FQDN (check the anyconnect XML profile). If you connect using the IP address, it will error.

View solution in original post

Go to solution
JonMoss92624
Level 1
Level 1
In response to Rob Ingram

‎09-17-2020 05:01 AM

Sincere apologies, I wasn't seeing the wood for the trees..

 

thank you very much

 

Jon

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎09-17-2020 12:56 AM

Hi @JonMoss92624 

Do you have the correct trustpoint enabled for both SSL and IPSec, example:

ssl trust-point PKI_TP OUTSIDE
crypto ikev2 remote-access trustpoint PKI_TP

HTH

0 Helpful

Go to solution
JonMoss92624
Level 1
Level 1
In response to Rob Ingram

‎09-17-2020 01:23 AM

Hi Rob, thanks for the reply, yes they are both set as the same trustpoint, for SSL the trustpoint is also on inside and DMZ as well as the outside interface

Go to solution
Rob Ingram
VIP
VIP

‎09-17-2020 01:43 AM

Can you enable debugs on the ASA, an provide the output for review.

You could also install wireshark on a laptop and run whilst connecting to the VPN, provide the pcap for review.

0 Helpful

Go to solution
JonMoss92624
Level 1
Level 1
In response to Rob Ingram

‎09-17-2020 04:04 AM

attachments as requested Rob 

mypcap.zip
vpnlog.zip
0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎09-17-2020 04:31 AM

I can see your connection to an IPSec VPN and a TLS handshake to the public IP address of the ASA - I can see 1 DNS query/response, querying the IP address NOT the fqdn of the ASA.

 

What domain name are you connecting to when it works? Can you double check you are connecting using the FQDN (check the anyconnect XML profile). If you connect using the IP address, it will error.

Go to solution
JonMoss92624
Level 1
Level 1
In response to Rob Ingram

‎09-17-2020 05:01 AM

Sincere apologies, I wasn't seeing the wood for the trees..

 

thank you very much

 

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card