Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
0
Helpful
1
Replies

Cisco AnyConnect SSL Certificate Issues

Muhammad Zahid
Level 1
Level 1

‎01-21-2016 09:13 AM - edited ‎02-21-2020 08:38 PM

I am facing certificate mismatch issues on my Cisco AnyConnect VPN setup on ASA 5516X ver 9.5(1).

I have setup SSL certificate on my ASA from a trusted CA. (godaddy) with the help of following article and didn't encounter any error during certificate installation, but still i can see my firewall is selecting self sign certificate for VPN connections.

https://chrisquast.wordpress.com/2014/01/13/cisco-asa-godaddy-ssl-certificate/ 

Logs.

Starting SSL handshake with client outside:19.159.29.17/40499 to 44.6.93.72/443 for TLS session

My configs.

crypto ca certificate chain WebVPN_TrustPoint
certificate 2f19641e600e2c8b
30820550 30820438 a0030201 0202082f 19641e60 0e2c8b30 0d06092a 864886f7
457e2403 d5ac96a7 cbc0612f b5aecf1f d3576a1f
quit

ssl trust-point WebVPN_TrustPoint outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 3
anyconnect enable

Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
Labels:
Preview file
47 KB
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎01-21-2016 09:36 AM

One typical problem are wrong ciphers. Try the following:

ssl cipher tlsv1.2 custom "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA"

Edit: Just see that you are using an outdated AnyConnect. For the above cipher you need AC4. If you want to keep AC3 (upgrade at least to the last AC3 which is 3.1.13015), then the cipher also has to be set for TLS1.0. It should also be set for DTLS.

0 Helpful
Customers Also Viewed These Support Documents