11-03-2022 08:35 AM
I have an issue with AnyConnect giving a Security Warning
I have installed a wildcard certificate on the ASA
If I open a Chrome or Edge browser and go to the URL - I do not get the Security Warning and the certificate shows valid with a lock
Chrome
Edge
If I try to connect with the AnyConnect client (version 4.10.05095) to the ASA running 9.8(4)43
I get a Security Warning about an untrusted Server Certificate with the IP address of the Firewall - I would think it would give the URL not the IP address.
I have a 2nd ASA in another location that does not have a wildcard certificate and it works just fine - I do not get the warning.
I'm assuming it has something to do with the Wildcard certificate and maybe I'm missing some additional configuration elements but I cant seem to find a resolution.
11-03-2022 08:41 AM
@lukesmiller so you are connecting to the FQDN and AnyConnect is displaying the IP address? Is the actual wildcard certificate trustpoint configured for SSL connections?
11-03-2022 09:01 AM
Yes - here is an example of that configuration element
ssl trust-point Wildcard2022 Internet
11-03-2022 09:03 AM
@lukesmiller so you are connecting with the FQDN or the IP address? The FQDN matches the domain in the wildcard?
Run a packet capture on the client of the TLS handshake, see what certificate is presented.
11-03-2022 09:07 AM
I'm connecting with the FQDN - but If I try the IP I get the same warning.
I can click Connect Anyway and it will give me the login prompt for AnyConnect
Can you give me an example of the capture - I have never run one on a TLS handshake
11-03-2022 09:10 AM
@lukesmiller in wireshark either use "ip.addr==<ip address of ASA>" or "tls"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide