Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3391
Views
0
Helpful
6
Replies

VPN Web Interface Configuration

Go to solution
m.santangelo
Level 1
Level 1

‎02-10-2020 07:28 AM - edited ‎02-21-2020 09:54 AM

Hello all,

 

We have a Cisco Firepower 2140 and it is running VPN services for us.  It is configured such that we can go to https://<hostname>/+CSCOE+/logon.html#form_title_text and login to get the client.

 

However, the problem is the SSL certificate for that hostname and  address appears to be self-signed certificate.  I'm trying to replace it with our domain wildcard certificate, however I can't seem to find the settings for it.Firewall  

 

Any advice?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to m.santangelo

‎02-10-2020 09:54 AM

That's odd. I've deployed several remote access VPNs on FMC and they all worked as advertised vis-a-vis the certificate.

Certificates aren't generally cached so it shouldn't be necessary to clear client browser cache etc. when replacing the identity certificate.

You might want to open a TAC case so that the engineer can have a look in real time with you.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎02-10-2020 07:39 AM

Hi,
Are you running ASA or FTD code on this appliance?
0 Helpful

Go to solution
m.santangelo
Level 1
Level 1
In response to Rob Ingram

‎02-10-2020 08:12 AM

It's running the FTD code, I believe.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-10-2020 08:46 AM - edited ‎02-10-2020 08:47 AM

If you're running Firepower Threat Defense (FTD), you set it as follows:

1. FMC-Managed: Devices > VPN > Remote Access. Select and edit the VPN Profile. Access Interfaces tab and specify the "SSL Global Identity Certificate" there. Save and deploy.

2. FDM-Managed: Device Monitoring > Remote Access VPN. Select and edit the VPN Profile. Click Nex, next and then choose "Certificate of Device Identity". Then Next > Finish and then Deploy.

If you're running ASA image then set it as described in detail here:

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc12

0 Helpful

Go to solution
m.santangelo
Level 1
Level 1
In response to Marvin Rhoads

‎02-10-2020 09:14 AM

Interesting, in the FMC that's where I have it configured, but it's still showing the old certificate, even after being deployed.  I had to upload the certificate to Devices -> Certificate first, in order to get it in the Global Identity Certificate drop down though.

 

vpn.png

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to m.santangelo

‎02-10-2020 09:54 AM

That's odd. I've deployed several remote access VPNs on FMC and they all worked as advertised vis-a-vis the certificate.

Certificates aren't generally cached so it shouldn't be necessary to clear client browser cache etc. when replacing the identity certificate.

You might want to open a TAC case so that the engineer can have a look in real time with you.

0 Helpful

Go to solution
m.santangelo
Level 1
Level 1
In response to Marvin Rhoads

‎02-10-2020 10:05 AM

Thanks for your help! We'll enter a case with TAC.  Thankfully it's not a huge issue, just trying to unify the environment.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card