Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5836
Views
0
Helpful
2
Replies

Cisco Anyconnect SSL VPN Client Cert Error

m-jankowski
Level 1
Level 1

‎04-08-2010 11:12 AM

Getting an error with Windows 7 and the SSL client.

It's saying that the certificate doesn't match the name of the site you are trying to view. But when you view the certificate it says it's 'OK' and matches just fine with the domain.

Any ideas? This is the first issue we've had with this new VPN solution, (we used Nortel IPSEC before).

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎04-08-2010 08:32 PM

On the certificate, you need to check what is the "Issue to" say, and when you connect via AnyConnect, you would need to use the same name as what the certificate says.

So if the certificate issue to says: "vpn.domain.com" for example, then when you connect via AnyConnect, you also need to use "vpn.domain.com" instead of ip address for example. If you connect via ip address then it doesn't match the certificate issue to, or vice versa.

0 Helpful

jh.cloete
Level 1
Level 1
In response to Jennifer Halim

‎04-27-2010 03:57 AM

I think you are using a private certificate issued by your own CA and you are not able to reach the CRL list from the ASA to check if the client cert is valid.

In ASDM go to Configuration, Certificate Management, CA Certificates and make sure you have your CA cert installed there.To verify if it is a problem getting the CRL list click the CA cert and Request CRL, nothing will happen if it can't reach it.

Click on Edit and tick Do not check certificates for revocation and you should now not get the certificate validation error message anymore from your client machine. You also won't be able to expire any certs if you leave Do not check ticked, so to fix it:

1) Check that the protocol you use to retreive the CRL is allowed through any firewalls you have, the options are LDAP or http.

2) The ASA's default is to use the CRL list that is stored in the CA cert itself. You can view the url on your client machine if you click view certificate in your browser(IE): Tools,Internet Options, Content, Certificates, View, Details, CRL distribution points. Get the direct url from your cert server adminstrator and fill it in under the CRL retrieval policy tab if you have to. Click Request CRL again to verify that it is working.

Also configure DNS servers that are reachable and can resolve the CRL url from your ASA using the 'name-server' command on the cli.

0 Helpful
Customers Also Viewed These Support Documents