ANYCONNECT IP vs FQDN

keldridge · ‎03-21-2017

Using AnyConnect 4.2.00096 I can connect to the VPN server using the FQDN but not using the server's IP, why?

Does it have something to do with cert being sign using the FQDN? When I use the IP I get the "Untrusted Server Blocked" when I us the FQDN I connect no problem. The FQDN return the IP when I do nslookup.

THanks,

mibricen · ‎03-21-2017

Hello Keldridge,

Indeed, the AnyConnect client by default blocks the connection to un-trusted servers (there is a box you can "uncheck" on the settings so it will not be blocked but instead it will warn you that the server is not trusted and that is your decision to proceed).

If the headend is using a certificate it is most likely to be generated with the FQDN and not with the actual ip address. Hence when the AnyConnect tries the real ip instead it will notice that it does not match with the certificate and hence block it (or warn you if configured).

Regards,

Miguel

Shakti Kumar · ‎03-22-2017

hi keldridge@caci.com,

when you connect using IP address Any connect is just giving you a warning but will not stop you from connecting. you can always uncheck "block connection to untrusted server" under the preference tab to fix that warning issue.

the reason you get that warning is because ASA is matching the URL with the CN name of the cert so the CN name of the cert would be something like example.com so Anyconnect is getting cert with CN=example.com on the other hand you are connecting via IP address , hence the match would fail so the anyconnect warns the user.

something similar happens when you connect to other website for example google.com with the ip address you will get certificate error too

Thanks

Shakti