cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
109
Views
0
Helpful
2
Replies

Cisco Anyconnect Certificate issue when failed to secondary internet link on the same firewall

Charley Morgan
Beginner
Beginner

We recently upgraded to Anyconnect on our Cisco ASA5555x and installed a wildcard certificate we had on the box.  I have that certificate tied to my primary interface as well as my secondary internet connection interface. 

HQ-ASA5555-PRIMARY/pri/act# show run ssl
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint0 comcast
ssl trust-point ASDM_TrustPoint0 outside

These are tied to the fqdn vpn.smepa.coop and we use an internet dns company that monitors the connections to fail the domain name to the secondary ip if the primary fails.  When we are failed and the dns changes to the secondary comcast ip address we get the trusted certificate error.

Am I supposed to install a second certificate for the comcast interface or can I use the same one since they are on the same firewall?

Thanks,

Charley

2 REPLIES 2

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

Generally speaking it should work. What exact Untrusted message are you getting if you browse to the portal? I checked your certificate at https://www.digicert.com/help/ and note it tells me you don't have the intermediate cents installed. That might possibly cause an issue. 

We found the problem this morning.  There was a port forward on the comcast ip address sending port 443 over to a mail server.  That is why we were getting a different certificate.  Problem resolved now.

Thanks,

Charley

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: