06-22-2015 10:30 AM - edited 02-21-2020 08:18 PM
Can you still install anyconnect essentials ssl vpn, on the latest clients, with a self signed certificate? I thought that the newer clients were doing a check for a field that only a third party cert would have. This is a nuisance when trying to stage a quick test environment so i'd like to still do this with a self signed cert if can.
06-22-2015 07:48 PM
You can use self-signed certificates on the ASA for remote access SSL VPN - even with the current AnyConnect Secure Mobility Client 4.1 and ASA 9.4(1).
You may need to jump through a few more hoops (click accept and/or import certificate etc.) to make it work; but it's certainly a supported method.
Like any other feature, it can be misconfigured in ways that will make it fail.
02-04-2016 05:14 PM
I have attempted this with ASA 9.4(1) and Secure Mobility Client 4.1 with procedures I have used and other I have found through searches (althogh most procedures I found were for Cliet version 3.x).
I just cannot get rid of the "Certificate does not match the server name" and "Certificate is from an untrusted source".
Does anyone have a procedure that has worked with ASA 9.4(1) and client 4.1?
02-04-2016 06:50 PM
I found a fix my problem. I had to issue the following command config command:
ssl cipher tlsv1.2 custom
"AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"
This is explained at:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html#51000
in the Important Notes section.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide