10-18-2024 02:28 AM
Hej
I am testing Anyconnect in our lab. I have created a self signed cert on FMC and pushed it to our FTDs. Then I have exported that cert to test PC and put it amongs certs. But I still get Untrusted server error.
I know I can tick of the "block untrusted servers" setting, but that is not what we want.
Can you help with what I am missing with the cert?
Solved! Go to Solution.
10-18-2024 03:25 PM
In your original screenshot, the error states "cannot verify server: 10.250.1.54"
So just to be sure, are you typing the IP address into the AnyConnect client while testing, or do you have anyconnect.test.com or oscar.test.com in your hosts file and you're connecting to the name "oscar.test.com" in the AnyConnect client?
It's important (from the certificate validation point of view) that you're trying to connect to "oscar.test.com" and not "10.250.1.54"
And then, if your certificate is in the trusted root certificate authorities, you should not get the error.
Another item to consider, other guides (like https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/kmgmt-2587-AnyConnect-Installing-Self-Signed-Certificate.html) mention that the self-signed cert needs to be in the "Local machine" (not "current user") part, is that where you've installed the certificate on your machine?
10-18-2024 02:36 AM
@oscardenizjensen you are connecting to the IP address rather than the FQDN that is defined in the certificate, hence the warning.
Either connect to the FQDN (assuming DNS resolves to 10.250.1.54) or re-issue the certificate with the IP address in the SAN field.
10-18-2024 03:11 AM - edited 10-18-2024 03:36 AM
I have added fw-1 as a dns entry to my test pc, and I can ping the FW using domain name
But I still get the same error. is it not the correct field?
10-18-2024 04:08 AM
@oscardenizjensen, just to confirm, could you please click on the ID button on the second screenshot you shared and share the output for review? the local hosts entry you should have should have the CN or SAN value that was configured on the identity certificate of the firewall. The issuer of the firewall certificate should be trusted by your endpoint.
10-18-2024 04:21 AM
I have created a new cert with custom FQDN value.
The cert on device
Cert on my PC . It is on "personal" cert folder on my pc.
10-18-2024 06:08 AM - edited 10-18-2024 06:10 AM
Ok great, then the entry on your local hosts file should be "10.250.1.54 anyconnect.test.com" and please remove the other entries you added for this previously. The certificate you need on your PC should be the issuer certificate (most likely root CA) of the firewall certificate. That certificate should be imported into the trusted root ca certificates store on your PC. The personal certificates store would include the identity certificates, but in this case you don't need to import the firewall identity certificate to your PC and you don't need to issue any identity certificate to your PC for this specific usage, you just need to import the root CA certificate that issued the firewall identity certificate so your PC (AnyConnect) will trust the firewall certificate when it gets presented.
10-18-2024 06:22 AM
It is a Self-signed cert created on FMC and pushed to FTD. I have exported the cert from FTD and put it in Trusted Root CA on my PC but still get the same error.
10-18-2024 07:34 AM
Would you mind sharing the screenshots of how/where you configured this on the FMC?
We need the root CA certificate to be imported into your PC, and tbh I'm not sure how we can get it given this is a self-signed certificate and it shows on the screenshot you shared it does not have a CA certificate. The certificate you imported into your PC is the identity certificate of the firewall and that wouldn't have the CA flag I believe, so it would not work.
What happened if you try to untick the tick box of "Block connections to untrusted servers"?
Also, could you please try to open up a browser and navigate to the firewall WebVPN portal "https://anyconnect.test.com" and see if the certificate that gets presented is the same as the one you imported into your PC? If it is not, then please download that one and import it into the trusted root ca certificates store and see if that makes any difference.
10-18-2024 01:24 PM
If I untick the Block connections to untrusted servers, then I can connect to the VPN.
I can open it on webpage, login and download anyconnect client without problem.
So I can not use self-signed cert on the PC? Is using the self-signed cert the problem? I do not have access to a CA authority to get a cert from for the LAB setup.
Is it not possible at all to use the self-signed cert?
For the life of me I can not find where the VPN configuration on FMC is. I check remote-access but it doesn't give the details for VPN setup
10-18-2024 02:37 PM - edited 10-18-2024 02:40 PM
When you open the VPN portal page in the browser and you check the certificate presented on that page, is it the same as the identity certificate of the firewall or is it different? Could you please check that and share the screenshot of that certificate?
If self-signed cert would be a challenge then I think you can use Let’s Encrypt which provides free public certs for three months I believe or SSL For Free:
For the VPN configs in the FMC you can check this post of mine to get an idea of where the configs would be done:
10-21-2024 01:33 AM
Turns out windows have 2 different cert locations. Current user and Local machine. I put the Cert into Trusted Root CA under Current user initially and it caused an issue. When I put the cert under Truster Root CA in "Local Machine" and use the CN name, then it seems to work.
10-21-2024 02:45 AM
Good to know this and glad the issue is now fixed and thanks to @Jonatan Jonasson for this tip.
10-18-2024 03:25 PM
In your original screenshot, the error states "cannot verify server: 10.250.1.54"
So just to be sure, are you typing the IP address into the AnyConnect client while testing, or do you have anyconnect.test.com or oscar.test.com in your hosts file and you're connecting to the name "oscar.test.com" in the AnyConnect client?
It's important (from the certificate validation point of view) that you're trying to connect to "oscar.test.com" and not "10.250.1.54"
And then, if your certificate is in the trusted root certificate authorities, you should not get the error.
Another item to consider, other guides (like https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/kmgmt-2587-AnyConnect-Installing-Self-Signed-Certificate.html) mention that the self-signed cert needs to be in the "Local machine" (not "current user") part, is that where you've installed the certificate on your machine?
10-18-2024 03:59 AM
You should add "oscar.test.com" (as that seems to be the CN value added to the firewall certificate) entry in your local hosts file pointing to the firewall IP I think.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide