I was done testing my setup (everything worked) and i bought a 3rd party certificate from a commercial CA. After installing a the certificate on the ASA and adding a A-record on my domain i tried connecting the AnyConnect client with the FQDN of the ASA:
Everything works fine and there are no errors during the connection.
The second time i try to connect the AnyConnect client shows the following in the "Connect to:" field:
After doing the second connection i get an ssl error stating that there is a mismatch between the hostname i am connecting to and the hostname in the certificate. My thoughts is that it is using "vpn01" as the hostname for the ASA during connection.
Does anyone know why this happens and how i can get the AnyConnect client to show the FQDN in the "Connect to:" field?
If i change the text from "vpn01 (IPsec)" to "vpn01.domain.com" manually, the error is not dislayed during and everything works fine.
First time you connect you have not yet downloaded the profile.
Please check what values you have provided as hostname/hostaddress in profile.
Typically you can remove the profile and re-try connection.
ANyconnect stores profile here:
Alos the name could have been already pushed to local preferences, it might not be upated (staright away) even if profile is :-)
Hi Marcin :-)
I realized that the client profile was downloaded from the ASA during the connection. I downloaded the "VPN_Client_Profile.xml file from the ASA and had a look at it in an editor:
The xml file on the ASA has "vpn01 (IPsec)" in the "HostName" section above. I tried to delete all ssl certificates on the ASA, i revoked my 3rd party certificate and did everything all over again. I deleted the xml file and the connection profile and set up a new one. The certificate i am using when creating the connection profile is the 3rd party certificate and it does not contain the hostname "vpn01" only the FQDN "vpn01.domain.com".
I guess i am trying to find out where the ASA gets the "HostName" value from when creating the profile. I read an article that said the box has an internal certificate wich changes at every boot, perhaps this certificate is used during the creation of the xml file, but i am really guessing here.
I can only see 1 certificate on the box, and that is the valid one. Where the "vpn01" hostname gets from i don't know.
is it possible to change the internal certificate (if there is such a thing) so it will use my 3rd party certificate for all services?
I don't have a AC installed here, but.
Ditch the HostAddress - you don't need it normally.
check(AFAIR) preferences_global ... file, you might need to remove it (change name).
Don't know if i quite got your point Mr Marcin :-), but i:
Uninstalled the AnyConnect client
Deleted all files and folders under:
C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\
C:\Users\MyUsername\AppData\Local\Cisco\Cisco AnyConnect VPN Client\
Downloaded the "connection_profile_called_something.xml" file from the ASA, changed "vpn01 (IPsec)" to "vpn01.domain.com" in notepad and uploaded the file again.
Everything works fine now, i have verified this with another client machine who had the problem.
I dont know wich one of the above that did the trick.
Another strange thing is that the:
C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile\connection_profile_called_something.xml file still has the following entry:
On change i noticed though that was different earlier is that the preference.xml file now contains this information:
(C:\Users\MyUsername\AppData\Local\Cisco\Cisco AnyConnect VPN Client\preferences.xml)
Earlier it had a "vpn01 (ipsec)" entry wich is gone now.
Things are finally ready for production!
Have a grat weekend Marcin, and thank you for replying
Glad it's working. :-)
I'm keeping to my side of the story, hostname should ba DNS name to avoid problems.
You should edit the certificate on the ASA where it's downloaded from to avoid problems on new machines.
That's at least my experience. If it works for you, I'm happy :-)