2854

Views

Helpful

Replies

i am getting one issue. i installed anyconnect VPN in ASA with self signed certificate and its working fine. now i installed CA signed certificate on firewall with FQDN and removed the self signed certificate in firewall.

Issue

when i connect anyconnect via FQDN ssl.domain.com i am not getting error.

when i connect with IP then i am still reciving the self signed certificate.

i dont want to receive self signed certificate ( even i removed the self signed certificate but i am still getting error )

is there any way that if i can just login via FQDN and not via IP ?

when i connect via IP its giving me error

ASA Certifiate does not match the server name

ASA version 9.6

need your urgent help

Thanks

1 Accepted Solution

Accepted Solutions

You say that you get the self-singned cert, but it seems that you "only" get the error of mismatching names which is normal in this situation. The cert only includes the FQDN. If you connect by name the ASA can prove to be that identity with the included name. But if you connect by IP, the ASA can not prove to be that identity with that cert. That is exactly how certificates work.

View solution in original post

7 Replies 7

Hi,

Is the Reverse dns setup for the ASA i.e. does reverse dns resolve to the correct fqdn?

Thanks

John

**Please rate posts you find helpful**

hi Karsten

The cert only includes the FQDN. If you connect by name the ASA can prove to be that identity with the included name. But if you connect by IP, the ASA can not prove to be that identity with that cert. That is exactly how certificates work.

correct, i am receiving the CA signed certificate too while connecting with IP instead of FQDN. is there any way if we can remove the error while connecting via IP ?

or nobody should able to connect via IP but only FQDN ?

if i create reverse DNS lookup, will it solve the problem and will it have any impact on site to site VPNs as all VPN are connecting with IP not on the base of FQDN

Thanks

> correct, i am receiving the CA signed certificate too while connecting with IP instead of FQDN. is there any way if we can remove the error while connecting via IP ?

no, you can only prove what's in the certificate.

> or nobody should able to connect via IP but only FQDN ?

Tell your users to use only the FQDN.

> if i create reverse DNS lookup, will it solve the problem and will it have any impact on site to site VPNs as all VPN are connecting with IP not on the base of FQDN

I would consider having the reverse entries as a best practice, but it has no relevance here.

Apart from what @Karsten Iwen mentioned, you can also push an AnyConnect client profile (xml file) to all the users using Anyconnect. This should pre-populate the AnyConnect "Connect To" field with the fqdn. Gives the users less chances to manually type in an ip address or fqdn.

Hi Karsten

is there any way that i can add IP address in certificate as well along with FQDN ? or we need another certificate for IP base cert ?

is it possible one certificate include both the IP and FQDN ?

Thanks

Theoretically, the certificate can also include an IP-address. But you have to prove to the CA that you own the address and they have to validate it. This can get quite complicated and not all CAs offer that.

IMO, it's not worth the effort but you could ask your CA what the procedure is for this. If they do, expect a heavy premium charge for that.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

ASA: Self signed certificate issue

ASA Certifiate does not match the server name