We are having an issue with an ASA5520 v8.0(4) appliance that suffered a Power outage (first time down in around a year) and since then AnyConnect 2.5.2019 VPN clients are failing with Certificate errors.
The clients authenticate using both a Microsoft CA issued Machine certificate and an AD logon, and the AnyConnect clients have an always-on TND profile applied.
The clients also have installed in their Trusted root store a Certificate for the Appliance and it is this Certificate that appears to have changed on Power Cycle, confirmed by checking Serial number of current appliance certificate with what the Clients have installed for the Appliance.
Checked the configuration and the ASA's External Interface used for SSL connections has no certificate assigned to the Interface and is using the Fallback certificate of the Appliance.
Does this Fallback Certificate change each time the ASA Appliance is power cycled, if so what would you recommend to overcome this to survive Power Cycles - would a self-signed certificate applied to the Interface suffice.
We have found that we can get Clients working again by Importing the updated Appliance Certificate (Fallback certificate) into the clients Trusted Root store but should we suffer another Power outage will we end up in a similar situation.
We have now created a self-signed certificate on the Appliance and attached it to the External interface and confirmed this certificate is persistent (does not change) after reboots of the Appliance.
Also checked the Appliance's default fallback certificate and can confirm it does indeed change on every reboot of the Appliance.
Something to watrch out for if you use always-on with TND and machine certificate authentication - clients fail as they do not get pop-up security alert prompting user to accept new certificate from appliance.