06-17-2025 04:07 PM
Currently, we have one of our NGFW configured for VPN use and able to connect to it successfully. We are exploring the use of DAP for added control in who can connect to our VPN, so, we had configured some basic settings. If we don't have it assigned and turned on for the existing working Remote Access VPN policy, all is well. However, as soon as we assign/turn it on, when connecting via the VPN client, we get a message about the certificate that says... "untrusted server connection" in a red background (as far as what was initially described). The self-signed cert is installed on the client side. I am about to be part of the test group as well and will find out the exact error window that pops out. With the above scenario, my initial question is that, what causes this to happen if we are actually not even using the certificate as a criteria in our DAP records?
06-18-2025 04:32 AM
I dont fully understand get your Q
Can you more elaborate
MHM
06-18-2025 06:56 AM
Good morning, MHM,
"How is the self-signed certificate deployed on each VPN client tied to the DAP configuration?" We only picked two criteria in the DAP config at this time and did not use certificate criteria in the AAA of the record we created. I just want to get a deeper understanding why enabling the DAP in the working RAVPN policy affect the behavior of the VPN connection, specifically, when the certificate criteria is not even being used. If we un-assigned the DAP policy to the RAVPN policy, it works. Thank you very much again for your guidance. AR
06-18-2025 01:08 PM
There are many match conditions for DAP' do you use AAA ?
Check link to see how we can match conditions of AAA attributes
MHM
06-18-2025 02:25 PM
06-24-2025 01:46 AM
Sorry for late reply' you use only cert. For auth anyconnect?
MHM
06-24-2025 06:14 AM
Actually, we do have a self-signed certificate created under Objects > PKI > Certificate Enrollment - it is deployed client system. Without DAP enable, the VPN connection goes smooth and presents just the normal dialog boxes associated to the connection - and successfully connects. With DAP enable, regardless if there is only one endpoint criteria used (e.g. terminate connection if not running Windows 11), an extra dialog box associated to connecting to an untrusted server displays. If we select "Connect Anyway", it does a successful connection. Just want to understand how the DAP is associated to the enrolled certificate as mentioned previously. To re-iterate, we are also current not using the certificate as a criteria of the endpoint. In addition, to add a bit more, during our investigation, we found that using the endpoint criteria seems to be a hit and miss, and that it also seems that it does not like to have more than one criteria in one record. Right now, it is not making sense to me why...
Thanks so much again for your thoughts on this.
06-24-2025 06:53 AM
Is the certificate of your FTD headend also self-signed? I suspect when you use DAP there is an additional communication via client services that invokes the certificate via a separate "channel" than the usual login. I've always used CA-signed certificates with remote access VPN and in those cases DAP does not present any certificate errors.
06-24-2025 07:01 AM
Good morning, Marvin...Thank you so very much for your response. So far, that is the only certificate we are using for the FTD and is self-signed. If we would like to keep it as such (self-signed) did you happen to stumble on a possible work around it so that it will behave like how if the cert as created from a CA? Just wondering if there is a way to find that possible "channel" and turn it off from there, per se :-). Thanks so very much again - a cup of hot coffee for you and MHM.
06-24-2025 08:42 AM
Sorry but a self-signed certificate will often present itself in undesirable ways. Why is there a desire to avoid using a proper certificate issued from either an internal or public CA?
06-24-2025 09:02 AM
07-06-2025 09:42 AM
Sorry for late reply
Server - client
Client use self signed certification of server to authc server
But server I think dont use self signed certification
Here is Key
What server use to authc client '
I dont get clear reply
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide