cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Anyconnect untrusted error, Using CA

tahequivoice
Explorer
Explorer

I have a customer whose Anyconnect client started popping up the untrusted warning when they connect subsequently.  The original connections come up fine, and the certificate is working.  What I did notice however is the URL is not showing, but the IP, so it is seeing the SS and not the CA when it connects. Is there something else that I need to do to prevent this?

1 ACCEPTED SOLUTION

Accepted Solutions

Ah, got it. Thanks for the explaination.

You would need to configure AnyConnect Profile with the FQDN from the following:

Configuration --> Remote Access VPN --> Network (Client) Access --> AnyConnect Client Profile --> Add

Then edit the profile under the "Server List" menu:

On the Hostname field, type in the FQDN, and leave the Host Address field blank.

Here is more information for your reference:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac03vpn.html#wp1199717

View solution in original post

6 REPLIES 6

Jennifer Halim
Cisco Employee
Cisco Employee

The subject-name "CN=" entry needs to be the same as the URL that customer is connecting to.

For example:

If customer connects using URL: webvpn.cisco.com, then the subject-name of the certificate should also say: CN=webvpn.cisco.com

You can't have "CN=" and try to connect using the FQDN.

If you have "CN=", and if you try to connect using the IP Address, then you won't get prompted for the untrusted certificate error.

OK, maybe I didn't explain it well enough. The initial connection is via the URL, works fine, exactly as it should. Connection after the initial one, using the client, not the browser, start using the IP instead of the URL, without any input from the user.  Keep in mind, it needed to be dumbed down for the users to one click access.  What is causing the client to use the IP instead of the URL when it connects?

Are you terminating the AnyConnect on a router or ASA firewall?

Also what is the version of the device?

Do you mean, you connect via browser first, then the user click on the AnyConnect button to start the AnyConnect client?

Are you running both Clientless and AnyConnect Client?

Its on an ASA running 8.4(3) using anyconnect-win-3.1.01065-k9.pkg that gets installed when they connect for the first