Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2680
Views
30
Helpful
7
Replies

ASA: Self signed certificate issue

Go to solution
hashimwajid1
Level 3
Level 3

‎04-02-2018 03:44 PM - edited ‎03-12-2019 05:09 AM

Hi 

 

i am getting one issue. i installed anyconnect VPN in ASA with self signed certificate and its working fine. now i installed CA signed certificate on firewall with FQDN and removed the self signed certificate in firewall. 

 

Issue

 

when i connect anyconnect via FQDN   ssl.domain.com i am not getting error. 

when i connect with IP then i am still reciving the self signed certificate. 

 

i dont want to receive self signed certificate ( even i removed the self signed certificate but i am still getting error )

is there any way that if i can just login via FQDN and not via IP ?

 

when i connect via IP its giving me error 

ASA Certifiate does not match the server name

 

ASA version 9.6

 

need your urgent help 

 

Thanks

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎04-02-2018 10:27 PM

You say that you get the self-singned cert, but it seems that you "only" get the error of mismatching names which is normal in this situation. The cert only includes the FQDN. If you connect by name the ASA can prove to be that identity with the included name. But if you connect by IP, the ASA can not prove to be that identity with that cert. That is exactly how certificates work.

View solution in original post

7 Replies 7

Go to solution
johnd2310
Level 8
Level 8

‎04-02-2018 04:43 PM

Hi,

 

Is the Reverse dns setup for the ASA i.e. does reverse dns resolve to the correct fqdn?

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎04-02-2018 10:27 PM

You say that you get the self-singned cert, but it seems that you "only" get the error of mismatching names which is normal in this situation. The cert only includes the FQDN. If you connect by name the ASA can prove to be that identity with the included name. But if you connect by IP, the ASA can not prove to be that identity with that cert. That is exactly how certificates work.

Go to solution
hashimwajid1
Level 3
Level 3
In response to Karsten Iwen

‎04-02-2018 11:19 PM

hi Karsten

 

The cert only includes the FQDN. If you connect by name the ASA can prove to be that identity with the included name. But if you connect by IP, the ASA can not prove to be that identity with that cert. That is exactly how certificates work.

 

correct,  i am receiving the CA signed certificate too while connecting with IP instead of FQDN. is there any way if we can remove the error while connecting via IP ?

 

or nobody should able to connect via IP but only FQDN ?

 

if i create reverse DNS lookup, will it solve the problem and will it have any impact on site to site VPNs as all VPN are connecting with IP not on the base of FQDN

 

Thanks 

 

 

 

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to hashimwajid1

‎04-02-2018 11:33 PM

> correct,  i am receiving the CA signed certificate too while connecting with IP instead of FQDN. is there any way if we can remove the error while connecting via IP ?

 

no, you can only prove what's in the certificate.

 

> or nobody should able to connect via IP but only FQDN ?

 

Tell your users to use only the FQDN.

 

> if i create reverse DNS lookup, will it solve the problem and will it have any impact on site to site VPNs as all VPN are connecting with IP not on the base of FQDN

 

I would consider having the reverse entries as a best practice, but it has no relevance here.

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to Karsten Iwen

‎04-03-2018 06:31 AM

Apart from what @Karsten Iwen mentioned, you can also push an AnyConnect client profile (xml file) to all the users using Anyconnect. This should pre-populate the AnyConnect "Connect To" field with the fqdn. Gives the users less chances to manually type in an ip address or fqdn. 

 

 

Go to solution
hashimwajid1
Level 3
Level 3
In response to Karsten Iwen

‎04-03-2018 08:12 AM

Hi Karsten

 

is there any way that i can add IP address in certificate as well along with FQDN ? or we need another certificate for IP base cert ?

 

is it possible one certificate include both the IP and FQDN ?

 

Thanks 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to hashimwajid1

‎04-03-2018 08:55 AM

Theoretically, the certificate can also include an IP-address. But you have to prove to the CA that you own the address and they have to validate it. This can get quite complicated and not all CAs offer that.

IMO, it's not worth the effort but you could ask your CA what the procedure is for this. If they do, expect a heavy premium charge for that.

Customers Also Viewed These Support Documents