Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1773
Views
0
Helpful
6
Replies

Anyconnect untrusted error, Using CA

Go to solution
tahequivoice
Level 2
Level 2

‎11-02-2012 05:47 AM - edited ‎02-21-2020 06:27 PM

I have a customer whose Anyconnect client started popping up the untrusted warning when they connect subsequently.  The original connections come up fine, and the certificate is working.  What I did notice however is the URL is not showing, but the IP, so it is seeing the SS and not the CA when it connects. Is there something else that I need to do to prevent this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to tahequivoice

‎11-02-2012 06:12 AM

Ah, got it. Thanks for the explaination.

You would need to configure AnyConnect Profile with the FQDN from the following:

Configuration --> Remote Access VPN --> Network (Client) Access --> AnyConnect Client Profile --> Add

Then edit the profile under the "Server List" menu:

On the Hostname field, type in the FQDN, and leave the Host Address field blank.

Here is more information for your reference:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac03vpn.html#wp1199717

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎11-02-2012 05:52 AM

The subject-name "CN=" entry needs to be the same as the URL that customer is connecting to.

For example:

If customer connects using URL: webvpn.cisco.com, then the subject-name of the certificate should also say: CN=webvpn.cisco.com

You can't have "CN=" and try to connect using the FQDN.

If you have "CN=", and if you try to connect using the IP Address, then you won't get prompted for the untrusted certificate error.

0 Helpful

Go to solution
tahequivoice
Level 2
Level 2
In response to Jennifer Halim

‎11-02-2012 05:56 AM

OK, maybe I didn't explain it well enough. The initial connection is via the URL, works fine, exactly as it should. Connection after the initial one, using the client, not the browser, start using the IP instead of the URL, without any input from the user.  Keep in mind, it needed to be dumbed down for the users to one click access.  What is causing the client to use the IP instead of the URL when it connects?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to tahequivoice

‎11-02-2012 06:00 AM

Are you terminating the AnyConnect on a router or ASA firewall?

Also what is the version of the device?

Do you mean, you connect via browser first, then the user click on the AnyConnect button to start the AnyConnect client?

Are you running both Clientless and AnyConnect Client?

0 Helpful

Go to solution
tahequivoice
Level 2
Level 2
In response to Jennifer Halim

‎11-02-2012 06:04 AM

Its on an ASA running 8.4(3) using anyconnect-win-3.1.01065-k9.pkg that gets installed when they connect for the first time, after the first connection, an icon is placed on their desktop and the user clicks on that to connect and login instead of using the browser.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to tahequivoice

‎11-02-2012 06:12 AM

Ah, got it. Thanks for the explaination.

You would need to configure AnyConnect Profile with the FQDN from the following:

Configuration --> Remote Access VPN --> Network (Client) Access --> AnyConnect Client Profile --> Add

Then edit the profile under the "Server List" menu:

On the Hostname field, type in the FQDN, and leave the Host Address field blank.

Here is more information for your reference:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac03vpn.html#wp1199717

0 Helpful

Go to solution
tahequivoice
Level 2
Level 2
In response to Jennifer Halim

‎11-02-2012 06:17 AM

OK I found the profile being used and found where the IP was coming from, changed it to the URL and will have them test it to see if that resolved the problem, thanks for the help!

0 Helpful
Customers Also Viewed These Support Documents