Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
904
Views
0
Helpful
2
Replies

ANYCONNECT IP vs FQDN

keldridge
Beginner
Beginner

‎03-21-2017 12:16 PM - edited ‎02-21-2020 09:12 PM

Using AnyConnect 4.2.00096 I can connect to the VPN server using the FQDN but not using the server's IP, why?

Does it  have something to do with cert being sign using the FQDN? When I use the IP I get the "Untrusted Server Blocked" when I us the FQDN I connect no problem. The FQDN return the IP when I do nslookup.

THanks,

Labels:
0 Helpful
2 Replies 2

mibricen
Beginner
Beginner

‎03-21-2017 01:52 PM

Hello Keldridge,

Indeed, the AnyConnect client by default blocks the connection to un-trusted servers (there is a box you can "uncheck" on the settings so it will not be blocked but instead it will warn you that the server is not trusted and that is your decision to proceed).

If the headend is using a certificate it is most likely to be generated with the FQDN and not with the actual ip address. Hence when the AnyConnect tries the real ip instead it will notice that it does not match with the certificate and hence block it (or warn you if configured).

Regards,

Miguel

0 Helpful

Shakti Kumar
Cisco Employee
Cisco Employee

‎03-22-2017 09:50 AM

hi keldridge@caci.com,

when you connect using IP address Any connect is just giving you a warning but will not stop you from connecting. you can always uncheck "block connection to untrusted server" under the preference tab to fix that warning issue.

the reason you get that warning is because ASA is matching the URL with the CN name of the cert so the CN name of the cert would be something like example.com so Anyconnect is getting cert with CN=example.com on the other hand you are connecting via IP address , hence the match would fail so the anyconnect warns the user.

something similar happens when you connect to other website for example google.com with the ip address you will get certificate error too

Thanks

Shakti

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents