Thanks for your response Rahul. 

Currently downloading wireshark. Yes, it is when I try to reach https://71.71.xx.xx I get the "this site can't be reached" error message. I have also attached the full config on the ASA. There could be a config line I have not spotted blocking the connection. Just to mention, ICMP, Telnet and SSH (public) are disabled on the WAN (internet) leg of the ASA.

Also, apply a capture on the ASA WAN interface.

capture capo interface outside match tcp host <your client public ip> host <your ASA public ip> eq 443

The only other thing I noticed in your config is a missing default route. I did not notice a routing protocol configuration, so it could just be that. 

There is a default route. I probably deleted it when I was trying to edit the config I posted. 

You think not using a routing protocol could be affecting it?

There seems to be no output for the capture command, I did a "terminal monitor", still the same thing. 

Hey Rahul, 

Thanks for the assistance thus far.

So when I issued the command "show capture capo", it started working for some weird reasons I can't explain. I could access https://71.71.xx.xx. 

One more worry for me is the Warning message I get from the "Cisco AnyConnect Mobility Client" itself saying the server certificate is UNTRUSTED. It is a self signed certificate. I wonder why. Please see attached screenshot. 

Hey Rahul,

Thanks for the assistance thus far.

So when I issued the command "show capture capo", it started working for some weird reasons I can't explain. I could access https://71.71.xx.xx. One more worry for me is the Warning message I get from the "Cisco AnyConnect Mobility Client" itself saying the server certificate is UNTRUSTED. It is a self signed certificate. I wonder why. Please see attached screenshot.

This is expected. Self signed certificates are generated by the ASA and not trusted inherently by the operating system. Anyonnect (or any SSL/TLS client) checks for at least 4 things on the server certificate during SSL handshake:

1) Date/Validity

2) URL that you accessed matches the Subject Name or Subject Alternate Name of the certificate

3) Issued by a CA or sub CA whose certificate is on the trusted CA certificate store of the OS/browser

4) Key usage and extended Key usage matches what the certificate is being used for. EKU usually has to be completely empty or at least "Server Authentication" for server side certs.

In the case of self signed, conditions 2 and 3 are almost always not matched. The default self signed certificate would have name as "hostname.domain-name" of the ASA and is issued by itself. 

For you to avoid the cert warning, do this:

1) Register a DNS name for your public IP- like vpn.domain-name.com

2) Get a certificate from a trusted third party CA like GoDaddy or Verisign for the name that you registered above.

3) Install the cert and CA cert on the ASA and link it to your outside interface.

4) Access VPN using vpn.domain-name.com

You can refer to this Cisco document that my colleague and I wrote on digital certificate installation and renewal on the ASA:

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

Hope this helps.

Thanks for the Support Rahul.

Really Appreciate!

Thanks for the reference.