AnyConnect Security Warning

lukesmiller · ‎11-03-2022

I have an issue with AnyConnect giving a Security Warning
I have installed a wildcard certificate on the ASA
If I open a Chrome or Edge browser and go to the URL - I do not get the Security Warning and the certificate shows valid with a lock

Chrome

Edge

If I try to connect with the AnyConnect client (version 4.10.05095) to the ASA running 9.8(4)43
I get a Security Warning about an untrusted Server Certificate with the IP address of the Firewall - I would think it would give the URL not the IP address.

I have a 2nd ASA in another location that does not have a wildcard certificate and it works just fine - I do not get the warning.

I'm assuming it has something to do with the Wildcard certificate and maybe I'm missing some additional configuration elements but I cant seem to find a resolution.

Rob Ingram · ‎11-03-2022

@lukesmiller so you are connecting to the FQDN and AnyConnect is displaying the IP address? Is the actual wildcard certificate trustpoint configured for SSL connections?

lukesmiller · ‎11-03-2022

Yes - here is an example of that configuration element
ssl trust-point Wildcard2022 Internet

Rob Ingram · ‎11-03-2022

@lukesmiller so you are connecting with the FQDN or the IP address? The FQDN matches the domain in the wildcard?

Run a packet capture on the client of the TLS handshake, see what certificate is presented.

lukesmiller · ‎11-03-2022

I'm connecting with the FQDN - but If I try the IP I get the same warning.
I can click Connect Anyway and it will give me the login prompt for AnyConnect

Can you give me an example of the capture - I have never run one on a TLS handshake

Rob Ingram · ‎11-03-2022

@lukesmiller in wireshark either use "ip.addr==<ip address of ASA>" or "tls"