We found the problem this

Charley Morgan · ‎11-03-2015

We recently upgraded to Anyconnect on our Cisco ASA5555x and installed a wildcard certificate we had on the box. I have that certificate tied to my primary interface as well as my secondary internet connection interface.

HQ-ASA5555-PRIMARY/pri/act# show run ssl
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint0 comcast
ssl trust-point ASDM_TrustPoint0 outside

These are tied to the fqdn vpn.smepa.coop and we use an internet dns company that monitors the connections to fail the domain name to the secondary ip if the primary fails. When we are failed and the dns changes to the secondary comcast ip address we get the trusted certificate error.

Am I supposed to install a second certificate for the comcast interface or can I use the same one since they are on the same firewall?

Thanks,

Charley

Marvin Rhoads · ‎11-03-2015

Generally speaking it should work. What exact Untrusted message are you getting if you browse to the portal? I checked your certificate at https://www.digicert.com/help/ and note it tells me you don't have the intermediate cents installed. That might possibly cause an issue.

Charley Morgan · ‎11-04-2015

We found the problem this morning. There was a port forward on the comcast ip address sending port 443 over to a mail server. That is why we were getting a different certificate. Problem resolved now.

Thanks,

Charley

Cisco Anyconnect Certificate issue when failed to secondary internet link on the same firewall