Solved: You're welcome.

sharlino · ‎04-28-2017

Hello!

We have changed our ASA's DNS name from vpn-1.old-domain.com to vpn-1.new-domain.com. A connection profile in a user PC contains the old one VPN host: vpn-1.old-domain.com. So, due to connection there will be an SSL cert error displayed, such as SSL_ERROR_BAD_CERT_DOMAIN like in the Firefox.

Can ASA do redirect Anyconnect SSL VPN connection from old DNS to the new one ? Maybe there is another more straight, correct way ?

ASA version is 9.6(2)13

Marvin Rhoads · ‎04-28-2017

Sorry but you cannot do redirection like that using the ASA.

If you simply instruct users to use the new-domain address by typing it manually the first time they connect anew, the ASA should detect that the client needs a new profile and automatically download it.

View solution in original post

Marvin Rhoads · ‎04-28-2017

Sorry but you cannot do redirection like that using the ASA.

If you simply instruct users to use the new-domain address by typing it manually the first time they connect anew, the ASA should detect that the client needs a new profile and automatically download it.

sharlino · ‎04-28-2017

Thanks Marvin. So, it is a common practise and the only solution to instruct users in such a case ? There is no centralized, transparent solution at all ?

Marvin Rhoads · ‎04-28-2017

Cisco doesn't provide any such solution. It could be argued that if any such thing were able to be done transparently (i.e., without user acklnowledgement of the new domain) that it could be the opposite of secure.

If a user is going to old-domain and providing credentials that are instead being intercepted and processed by new-domain how would that differ from a malicious third party doing something similar?

sharlino · ‎04-28-2017

From that point of view I agree with your thoughts. Thank you )

Marvin Rhoads · ‎04-28-2017

You're welcome.

Please mark your question as answered if it has been.

Cisco ASA, redirect Anyconnect SSL VPN to new address/url