I have added fw-1 as a dns entry to my test pc, and I can ping the FW using domain name

But  I still get the same error. is it not the correct field?

@oscardenizjensen, just to confirm, could you please click on the ID button on the second screenshot you shared and share the output for review? the local hosts entry you should have should have the CN or SAN value that was configured on the identity certificate of the firewall. The issuer of the firewall certificate should be trusted by your endpoint.

I have created a new cert with custom FQDN value. 

The cert on device

Cert on my PC . It is on "personal" cert folder on my pc.

Ok great, then the entry on your local hosts file should be "10.250.1.54      anyconnect.test.com" and please remove the other entries you added for this previously. The certificate you need on your PC should be the issuer certificate (most likely root CA) of the firewall certificate. That certificate should be imported into the trusted root ca certificates store on your PC. The personal certificates store would include the identity certificates, but in this case you don't need to import the firewall identity certificate to your PC and you don't need to issue any identity certificate to your PC for this specific usage, you just need to import the root CA certificate that issued the firewall identity certificate so your PC (AnyConnect) will trust the firewall certificate when it gets presented.

It is a Self-signed cert created on FMC and pushed to FTD. I have exported the cert from FTD and put it in Trusted Root CA on my PC but still get the same error.  

Would you mind sharing the screenshots of how/where you configured this on the FMC?

We need the root CA certificate to be imported into your PC, and tbh I'm not sure how we can get it given this is a self-signed certificate and it shows on the screenshot you shared it does not have a CA certificate. The certificate you imported into your PC is the identity certificate of the firewall and that wouldn't have the CA flag I believe, so it would not work.

What happened if you try to untick the tick box of "Block connections to untrusted servers"?

Also, could you please try to open up a browser and navigate to the firewall WebVPN portal "https://anyconnect.test.com" and see if the certificate that gets presented is the same as the one you imported into your PC? If it is not, then please download that one and import it into the trusted root ca certificates store and see if that makes any difference.

If I untick the Block connections to untrusted servers, then I can connect to the VPN.

I can open it on webpage, login and download anyconnect client without problem.

So I can not use self-signed cert on the PC? Is using the self-signed cert the problem? I do not have access to a CA authority to get a cert from for the LAB setup.

Is it not possible at all to use the self-signed cert?

For the life of me I can not find where the VPN configuration on FMC is. I check remote-access but it doesn't give the details for VPN setup

When you open the VPN portal page in the browser and you check the certificate presented on that page, is it the same as the identity certificate of the firewall or is it different? Could you please check that and share the screenshot of that certificate?

If self-signed cert would be a challenge then I think you can use Let’s Encrypt which provides free public certs for three months I believe or SSL For Free:

https://letsencrypt.org

https://www.sslforfree.com

For the VPN configs in the FMC you can check this post of mine to get an idea of where the configs would be done:

https://bluenetsec.com/fmc-anyconnect-ssl-vpn/

Turns out windows have 2 different cert locations. Current user and Local machine. I put the Cert into Trusted Root CA under Current user initially and it caused an issue. When I put the cert under Truster Root CA in "Local Machine" and use the CN name, then it seems to work.

Good to know this and glad the issue is now fixed and thanks to @Jonatan Jonasson for this tip.