Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13115
Views
0
Helpful
5
Replies

Anyconnect client error - "certificate does not match the server name"

S891
Level 2
Level 2

‎06-19-2015 11:57 AM - edited ‎02-21-2020 08:17 PM

hi,

I have a valid cert installed on ASA and all users except for few Mac OS users have reported Anyconnect certificate error message:

"Security Warning : Untrusted VPN server certificate

Anyconnect cannot verify VPN server : x.x.x.x

Certificate does not match the server name" 

 

This is appearing for only few Anyconnect userson Mac OS. Everyoen else has no issue. 

What ould be causing this? Any suggestions please. 

2 people had this problem
Labels:
0 Helpful
5 Replies 5

Vishnu Sharma
Level 1
Level 1

‎06-19-2015 12:22 PM

Hi Fawad,

 

Could you please check what is the DNS name (Domain Name System) specified in the SAN field (Subject Alternative Name) or, the FQDN (Fully Qualified Domain Name) or, the CN (Common Name) in the subject-name of the certificate.

Please make sure that the mac users are using the same name while connecting. Probably, the certificate has cn name as asa.cisco.com and lets say that the public ip address of the ASA is 1.1.1.1 then the mac users are connecting to 1.1.1.1 or vice versa.

In order to fix this issue, either the DNS should be setup in such a way that SAN DNS or FQDN or CN (in this case “asa.cisco.com”) resolves to the server’s IP address, or the user can manually make an entry on the host file in the client PC.

Host file location can be found on 
Windows – C:\windows\system32\drivers\etc\hosts, 
MAC - /private/etc/hosts, 
Linux - /etc/hosts.

 

Please let me know if this helps.

 

Thanks,

Vishnu 

0 Helpful

S891
Level 2
Level 2
In response to Vishnu Sharma

‎06-20-2015 02:17 AM

hi Vishnu,

The DNS entry CN name are all correct. The user is connecting on name using anyconnect. 

This is working fine for all users EXCEPT for a Mac OS users. So I do not think there is any issue with certificate itself. I have suspicion that it could be either a bug in anyconnect or some setting on Mac OS, or may be it is using old certificate information. 

0 Helpful

S891
Level 2
Level 2
In response to S891

‎06-20-2015 07:11 AM

I see exclamation marki n the certificate "Key usage" and "Basic Constraints" . 

I am not sure if this tells a problem the Mac OS cannot handle and gives certificate error. 

I am looking for a way to override this. 

0 Helpful

KenPatel89097
Level 1
Level 1
In response to S891

‎08-16-2021 07:54 PM

Did you ever find the fix for above, having same issue with all my mac devices

0 Helpful

KenPatel89097
Level 1
Level 1

‎08-16-2021 11:06 AM

What was the fix for this I am having the same issue with AnyConnect on MacOS devices?

0 Helpful
Customers Also Viewed These Support Documents