11-03-2015 01:53 PM - edited 02-21-2020 08:32 PM
We recently upgraded to Anyconnect on our Cisco ASA5555x and installed a wildcard certificate we had on the box. I have that certificate tied to my primary interface as well as my secondary internet connection interface.
HQ-ASA5555-PRIMARY/pri/act# show run ssl
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint0 comcast
ssl trust-point ASDM_TrustPoint0 outside
These are tied to the fqdn vpn.smepa.coop and we use an internet dns company that monitors the connections to fail the domain name to the secondary ip if the primary fails. When we are failed and the dns changes to the secondary comcast ip address we get the trusted certificate error.
Am I supposed to install a second certificate for the comcast interface or can I use the same one since they are on the same firewall?
Thanks,
Charley
11-03-2015 08:34 PM
Generally speaking it should work. What exact Untrusted message are you getting if you browse to the portal? I checked your certificate at https://www.digicert.com/help/ and note it tells me you don't have the intermediate cents installed. That might possibly cause an issue.
11-04-2015 09:04 AM
We found the problem this morning. There was a port forward on the comcast ip address sending port 443 over to a mail server. That is why we were getting a different certificate. Problem resolved now.
Thanks,
Charley
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: