cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3974
Views
0
Helpful
4
Replies

Anyconnect 2.5.2019 - SSL Certificate Mismatch

Lam Hung Chung
Level 1
Level 1

Hi all,

When i'm trying to connect using stand-alone Anyconnect (not through the web), I got the SSL error message "The certificate you are viewing does not match the name of the site you are trying to view" (attached).

The certificate I installed for the SSL connection on outside interface got Subject CN=testvpn.mydomain and Subject Alternative Name (SAN) --> DNS Name = testvpn.mydomain

It seems to me that instead of connecting to testvpn.mydomain, anyconnect try to connect to the its IP address. I did try to remove the IP address in Server List in the profile, but it still doesn't work.

If I'm using Clientless (through browser), I don't received this error which means the certificates installed correctly.

Is that a bug on anyconnect 2.5.2019 or is there other ways to force anyconnect to check name instead of the IP against the certficate?

Thanks,

1 Accepted Solution

Accepted Solutions

Hello Lam,

It's great that it's working fine now, so let me explain to you what was going on, you were seeing the cert warning just via Anyconnect due to the xml profile you had deployed which included the IP, the machine you were testing with downloaded that xml file and each time you tried to connect the warning was poping up even after you remove the IP address from the server list on the ASA, what happens is that you probably just modified the file and continued using the same name for the profile; If you change the  profile and re-use the same name you need to reissue the command " svc  profiles LAM-XML-PROFILE disk0:/LAM-PROFILE.xml" otherwise, the  same old profile is in memory and will be reused. Once you've refreshed  the profile and you reconnect the Anyconnect client, the new profile  will be downloaded but here is the catch -  you need to exit the  Anyconnect client to see the new information otherwise it will appear  that the profile has not been updated.

Hope this clarifies the issue.

Regards,

View solution in original post

4 Replies 4

Gustavo Medina
Cisco Employee
Cisco Employee

Hello Lam,

Reading your post this is likely a problem with the xml profile as you don't see a prompt when using the browser, you said you removed the IP address from the server list, did you leave "testvpn.mydomain" on it? can we take a look at it?

Regards,

Hi,

I've already sorted it out. Just have to delete all the existed profiles on the system (C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\) and re-download the new edited profile (removed Host Address from Server List in the profile)

Everything seems working as expected now.

Thanks for the attention,

Hello Lam,

It's great that it's working fine now, so let me explain to you what was going on, you were seeing the cert warning just via Anyconnect due to the xml profile you had deployed which included the IP, the machine you were testing with downloaded that xml file and each time you tried to connect the warning was poping up even after you remove the IP address from the server list on the ASA, what happens is that you probably just modified the file and continued using the same name for the profile; If you change the  profile and re-use the same name you need to reissue the command " svc  profiles LAM-XML-PROFILE disk0:/LAM-PROFILE.xml" otherwise, the  same old profile is in memory and will be reused. Once you've refreshed  the profile and you reconnect the Anyconnect client, the new profile  will be downloaded but here is the catch -  you need to exit the  Anyconnect client to see the new information otherwise it will appear  that the profile has not been updated.

Hope this clarifies the issue.

Regards,

Hi Gus,

Thanks for the explanation. It's very clear now.