12-06-2017 07:24 AM
Client Environment:-
We currently use AnyConnect Client v4.5 with Cisco ASA for SSL VPN. We have Always-On and Trusted Network Detection (TND) configured on AnyConnect client using Domain DNS name and certificate check (URL). So the Trusted Network Detection disconnects the VPN is it see DNS suffix “MyComapny.com” and it has the right certificate Hash for a defined IP host.
We have multiple TND https:// entries to provide for resilience, i.e. https://1.1.1.1:443, htps://1.1.1.2:443
The question being if TND certificate hash fails on the first, does it drop down to the next on the list? Or is it a case of it only drops to the next one if the first is unavailable?
Thanks Khalid
Solved! Go to Solution.
12-06-2017 10:32 AM
Hello,
If the server itself is not reachable we will try the next server. You wont be able to add the server with an invalid hash and if you are able to do that then there is an issue. I assume you are asking if the hash changes and is now invalid? We should go down the list as ordered although I can not find this documented so that I can link you to it at this moment. If I come across it I will respond back.
Best regards,
Paul
AC & ATS TME
12-06-2017 10:32 AM
Hello,
If the server itself is not reachable we will try the next server. You wont be able to add the server with an invalid hash and if you are able to do that then there is an issue. I assume you are asking if the hash changes and is now invalid? We should go down the list as ordered although I can not find this documented so that I can link you to it at this moment. If I come across it I will respond back.
Best regards,
Paul
AC & ATS TME
01-06-2018 10:39 AM
What is the expected behavior when multple Trusted Servers are defined? And what is the expected behavior if one or more of the defined servers is reachable, but has an invalid hash (changed since initially added). As you mention, I don't see this documented anywhere. Are we simply looking for a single Trusted Server that is both reachable and passes hash check? So we go down the list until those conditions are met for one defined server in the list? If you find this formally documented somewhere, please post the doc link. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide