cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1152
Views
4
Helpful
13
Replies

Anyconnect blocks untrusted Server even with Certificate

Hej
I am testing Anyconnect in our lab. I have created a self signed cert on FMC and pushed it to our FTDs. Then I have exported that cert to test PC and put it amongs certs. But I still get Untrusted server error. 

I know I can tick of the "block untrusted servers" setting, but that is not what we want. 

Can you help with what I am missing with the cert?

Anyconnect Settings.PNG

Untrusted Server.PNG

Cert.PNG

1 Accepted Solution

Accepted Solutions

In your original screenshot, the error states "cannot verify server: 10.250.1.54"
So just to be sure, are you typing the IP address into the AnyConnect client while testing, or do you have anyconnect.test.com or oscar.test.com in your hosts file and you're connecting to the name "oscar.test.com" in the AnyConnect client?

It's important (from the certificate validation point of view) that you're trying to connect to "oscar.test.com" and not "10.250.1.54"

And then, if your certificate is in the trusted root certificate authorities, you should not get the error.

Another item to consider, other guides (like https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/kmgmt-2587-AnyConnect-Installing-Self-Signed-Certificate.html) mention that the self-signed cert needs to be in the "Local machine" (not "current user") part, is that where you've installed the certificate on your machine?

 

 

View solution in original post

13 Replies 13

@oscardenizjensen you are connecting to the IP address rather than the FQDN that is defined in the certificate, hence the warning.

Either connect to the FQDN (assuming DNS resolves to 10.250.1.54) or re-issue the certificate with the IP address in the SAN field.

I have added fw-1 as a dns entry to my test pc, and I can ping the FW using domain name

But  I still get the same error. is it not the correct field?

oscardenizjensen_0-1729246299673.png

 




@oscardenizjensen, just to confirm, could you please click on the ID button on the second screenshot you shared and share the output for review? the local hosts entry you should have should have the CN or SAN value that was configured on the identity certificate of the firewall. The issuer of the firewall certificate should be trusted by your endpoint.

I have created a new cert with custom FQDN value. 

The cert on device

Cert-New.PNG


Cert on my PC . It is on "personal" cert folder on my pc.

Cert-local.PNG

Ok great, then the entry on your local hosts file should be "10.250.1.54      anyconnect.test.com" and please remove the other entries you added for this previously. The certificate you need on your PC should be the issuer certificate (most likely root CA) of the firewall certificate. That certificate should be imported into the trusted root ca certificates store on your PC. The personal certificates store would include the identity certificates, but in this case you don't need to import the firewall identity certificate to your PC and you don't need to issue any identity certificate to your PC for this specific usage, you just need to import the root CA certificate that issued the firewall identity certificate so your PC (AnyConnect) will trust the firewall certificate when it gets presented.

It is a Self-signed cert created on FMC and pushed to FTD. I have exported the cert from FTD and put it in Trusted Root CA on my PC but still get the same error.  

Would you mind sharing the screenshots of how/where you configured this on the FMC?

We need the root CA certificate to be imported into your PC, and tbh I'm not sure how we can get it given this is a self-signed certificate and it shows on the screenshot you shared it does not have a CA certificate. The certificate you imported into your PC is the identity certificate of the firewall and that wouldn't have the CA flag I believe, so it would not work.

What happened if you try to untick the tick box of "Block connections to untrusted servers"?

Also, could you please try to open up a browser and navigate to the firewall WebVPN portal "https://anyconnect.test.com" and see if the certificate that gets presented is the same as the one you imported into your PC? If it is not, then please download that one and import it into the trusted root ca certificates store and see if that makes any difference.

If I untick the Block connections to untrusted servers, then I can connect to the VPN.

I can open it on webpage, login and download anyconnect client without problem.

So I can not use self-signed cert on the PC? Is using the self-signed cert the problem? I do not have access to a CA authority to get a cert from for the LAB setup.

Is it not possible at all to use the self-signed cert?

For the life of me I can not find where the VPN configuration on FMC is. I check remote-access but it doesn't give the details for VPN setup

When you open the VPN portal page in the browser and you check the certificate presented on that page, is it the same as the identity certificate of the firewall or is it different? Could you please check that and share the screenshot of that certificate?

If self-signed cert would be a challenge then I think you can use Let’s Encrypt which provides free public certs for three months I believe or SSL For Free:

https://letsencrypt.org

https://www.sslforfree.com

For the VPN configs in the FMC you can check this post of mine to get an idea of where the configs would be done:

https://bluenetsec.com/fmc-anyconnect-ssl-vpn/

Turns out windows have 2 different cert locations. Current user and Local machine. I put the Cert into Trusted Root CA under Current user initially and it caused an issue. When I put the cert under Truster Root CA in "Local Machine" and use the CN name, then it seems to work.

Good to know this and glad the issue is now fixed and thanks to @Jonatan Jonasson for this tip.

In your original screenshot, the error states "cannot verify server: 10.250.1.54"
So just to be sure, are you typing the IP address into the AnyConnect client while testing, or do you have anyconnect.test.com or oscar.test.com in your hosts file and you're connecting to the name "oscar.test.com" in the AnyConnect client?

It's important (from the certificate validation point of view) that you're trying to connect to "oscar.test.com" and not "10.250.1.54"

And then, if your certificate is in the trusted root certificate authorities, you should not get the error.

Another item to consider, other guides (like https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/kmgmt-2587-AnyConnect-Installing-Self-Signed-Certificate.html) mention that the self-signed cert needs to be in the "Local machine" (not "current user") part, is that where you've installed the certificate on your machine?

 

 

You should add "oscar.test.com" (as that seems to be the CN value added to the firewall certificate) entry in your local hosts file pointing to the firewall IP I think.