Hi There,
We are having an issue with an ASA5520 v8.0(4) appliance that suffered a Power outage (first time down in around a year) and since then AnyConnect 2.5.2019 VPN clients are failing with Certificate errors.
The clients authenticate using both a Microsoft CA issued Machine certificate and an AD logon, and the AnyConnect clients have an always-on TND profile applied.
The clients also have installed in their Trusted root store a Certificate for the Appliance and it is this Certificate that appears to have changed on Power Cycle, confirmed by checking Serial number of current appliance certificate with what the Clients have installed for the Appliance.
Checked the configuration and the ASA's External Interface used for SSL connections has no certificate assigned to the Interface and is using the Fallback certificate of the Appliance.
Does this Fallback Certificate change each time the ASA Appliance is power cycled, if so what would you recommend to overcome this to survive Power Cycles - would a self-signed certificate applied to the Interface suffice.
We have found that we can get Clients working again by Importing the updated Appliance Certificate (Fallback certificate) into the clients Trusted Root store but should we suffer another Power outage will we end up in a similar situation.
Thanks for any suggestions.