cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
203
Views
0
Helpful
4
Replies
Highlighted

AnyConnect Certificate doesnt much server name

Hi All. 

I know it was few times already on community, but all answer i tried doesnt work for me.

I will discribe my problem just a bit.

 

We have this error now and from beggining.

Security Warning.jpgAnyConnectProfile.jpg

I installed a CA certificate on one WAN interface and when You connect trough browser the certificate is vaild and secure. when try to connect via anyconnect i got error Certificate doesnt mach the server name. I found the kind of solution on cisco community to correct all Anyconnect profile adding <HostName> and <HostAddress> i did at  sholud be (picture above).

The wired thing is sometimes you want get this kind of error but very rarely.

 

Thanks for Your Support

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: AnyConnect Certificate doesnt much server name

Hi All.

 

I found the solution. 

 

First i Have change server list on each Anyconnect client profile from ip to fqdn. ( i have tested before on my anyconnect client and did not resolve issue)

Second I have deleted files from C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client

and start working as should work.

I will test more on another PC.

 

Tahnks for assist

 

 

View solution in original post

4 REPLIES 4
Highlighted
RJI Advisor
Advisor

Re: AnyConnect Certificate doesnt much server name

Hi,
So does the host address in the anyconnect profile match exactly the CN or SAN value on the certificate in use by the ASA/FTD? Take a packet capture and have a look at the certificate in use during the connection.

Highlighted

Re: AnyConnect Certificate doesnt much server name

HI RJI.

 

I did a packet capture and i can not see any certificate on the server Hello and Client Hello to be exchange. When You connecting through WWW certificate is valid.  The cn: looks identical. on the cert and identity cert.

How Anyconnect verify certificate do You have ti instal an CA on the PC?.

Packet capture.jpgwww.jpg

 

 

RJI Advisor
Advisor

Re: AnyConnect Certificate doesnt much server name

That output of the packet capture doesn't confirm the URL.
When you connect to AnyConnect are you using SSL or IPSec?

If you want you can PM me your packet capture and the url of your server and I can investigate further for you.

 

EDIT: If you are using IPSec when connecting via AnyConnect, you should check to ensure you are actually using the same certificate for both SSL and IPSec connections. Compare the output of the following:-

 

ssl trust-point LAB_PKI OUTSIDE << SSL/TLS

crypto ikev2 remote-access trustpoint LAB_PKI << IPSec

 

If the trustpoint is different for crypto ikev2 remote-access compared to the SSL trust-point you'd receive an error when connecting via AnyConnect but not when you connect via the Webpage.

 

HTH

Highlighted

Re: AnyConnect Certificate doesnt much server name

Hi All.

 

I found the solution. 

 

First i Have change server list on each Anyconnect client profile from ip to fqdn. ( i have tested before on my anyconnect client and did not resolve issue)

Second I have deleted files from C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client

and start working as should work.

I will test more on another PC.

 

Tahnks for assist

 

 

View solution in original post