09-07-2011 05:28 PM - edited 02-21-2020 05:34 PM
Hi all,
When i'm trying to connect using stand-alone Anyconnect (not through the web), I got the SSL error message "The certificate you are viewing does not match the name of the site you are trying to view" (attached).
The certificate I installed for the SSL connection on outside interface got Subject CN=testvpn.mydomain and Subject Alternative Name (SAN) --> DNS Name = testvpn.mydomain
It seems to me that instead of connecting to testvpn.mydomain, anyconnect try to connect to the its IP address. I did try to remove the IP address in Server List in the profile, but it still doesn't work.
If I'm using Clientless (through browser), I don't received this error which means the certificates installed correctly.
Is that a bug on anyconnect 2.5.2019 or is there other ways to force anyconnect to check name instead of the IP against the certficate?
Thanks,
Solved! Go to Solution.
09-08-2011 05:59 PM
Hello Lam,
It's great that it's working fine now, so let me explain to you what was going on, you were seeing the cert warning just via Anyconnect due to the xml profile you had deployed which included the IP, the machine you were testing with downloaded that xml file and each time you tried to connect the warning was poping up even after you remove the IP address from the server list on the ASA, what happens is that you probably just modified the file and continued using the same name for the profile; If you change the profile and re-use the same name you need to reissue the command " svc profiles LAM-XML-PROFILE disk0:/LAM-PROFILE.xml" otherwise, the same old profile is in memory and will be reused. Once you've refreshed the profile and you reconnect the Anyconnect client, the new profile will be downloaded but here is the catch - you need to exit the Anyconnect client to see the new information otherwise it will appear that the profile has not been updated.
Hope this clarifies the issue.
Regards,
09-07-2011 08:26 PM
Hello Lam,
Reading your post this is likely a problem with the xml profile as you don't see a prompt when using the browser, you said you removed the IP address from the server list, did you leave "testvpn.mydomain" on it? can we take a look at it?
Regards,
09-08-2011 05:01 PM
Hi,
I've already sorted it out. Just have to delete all the existed profiles on the system (C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\) and re-download the new edited profile (removed Host Address from Server List in the profile)
Everything seems working as expected now.
Thanks for the attention,
09-08-2011 05:59 PM
Hello Lam,
It's great that it's working fine now, so let me explain to you what was going on, you were seeing the cert warning just via Anyconnect due to the xml profile you had deployed which included the IP, the machine you were testing with downloaded that xml file and each time you tried to connect the warning was poping up even after you remove the IP address from the server list on the ASA, what happens is that you probably just modified the file and continued using the same name for the profile; If you change the profile and re-use the same name you need to reissue the command " svc profiles LAM-XML-PROFILE disk0:/LAM-PROFILE.xml" otherwise, the same old profile is in memory and will be reused. Once you've refreshed the profile and you reconnect the Anyconnect client, the new profile will be downloaded but here is the catch - you need to exit the Anyconnect client to see the new information otherwise it will appear that the profile has not been updated.
Hope this clarifies the issue.
Regards,
09-08-2011 11:05 PM
Hi Gus,
Thanks for the explanation. It's very clear now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide