Thanks Rob! So that may be our issue since we connect to the IP. So i am trying to pick up all the pieces since this was in place before my time. But it seemed to work with an Alias name before and it used the IP to connect and did not give that error. Would there be a way to still use the IP and not get this error? Would i maybe just need to enroll the certificate as the IP address as the CN?

@jlittle5376 yes that would work, though typically you use a FQDN to connect to. You could just register the name on the certificate with your public DNS provider, map the FQDN to the IP address.

So i have tried both ways and i still seem to receive the same error. If i am just using Radius for authentication do i need to install any certificates on the client? Could that be my issue?

@jlittle5376 the clients need to trust the CA that signed the certificate to the firewall.

Provide the screenshot of the error and the actual certificate information.

So ill do my best to share as much as i can. I know its hard to say without the specifics but i appreciate the help!

I do have a Trust for the CA in Trusted Certificate Authorities.

So this is the error i see. We use an on site Certificate Authority and no matter how i issue the certificate request from Firepower whether that be a FQDN from DNS provider or the IP address. I get the error below.

Like i mentioned i initiate the CSR from Firepower, and import that request into our local CA and it creates the certificate. For explanation purposes lets call the CA "Server1" and firewall device "FTD1" so the Identity cert shown in FMC would be............

Issued To: FTD1

IP Address: 1.2.3.4

Common Name: connect.domain.com (This is where i have tried everything though, from IP address to FQDN i created on DNS provider. Nothing seems to work.

I then connect with Anyconnect using the IP 1.2.3.4 and i receive that error. The profile that was setup previously also downloads once connected and then adds Alias names for the IP address called "Site1" which also gives the same error. There is a working VPN instance setup the exact way that works. But i cant figure out why this new server will not work.

https://www.petenetlive.com/KB/Article/0000651

check this link

I do not see the option to trust the VPN server and import Certificate. I do have the Block connections to untrusted servers unticked though.

there are three cert. 
first Cert. of Server <this include digital signature> You must add the Cert. of New Server to client PC and in ASA, otherwise the other Cert. check the digital signature of OLD server with new below Cert. 
second the Client Cert. <Op.> this sign by the digital signature from first Cert. This exchange when connection start 
third ASA Cert. this sign by the digital signature from first Cert. This exchange when connection start   
this link for profile editor and config the CA cert. 
https://technook.home.blog/2019/07/11/cisco-anyconnect-managent-vpn-tunnel-microsoft-ca/

@jlittle5376 so does the "FQDN from DNS provider" match the exact name on the certificate? Open the certificate in openssl or a browser and compare the output to the IP address or FQDN you connect with.

It does appear to match exactly:

Issuer: DC = local, DC = localdomain, CN = Server1
Validity
Not Before: Aug 22 17:37:54 2022 GMT
Not After : Aug 22 17:37:54 2023 GMT
Subject: unstructuredAddress = 1.2.3.4, unstructuredName = ftd1, C = US, ST = State, L = City, O = Department, OU = Company, CN = connect.domain.com, emailAddress = itsupport@domain.com

@jlittle5376 Is the ASA actually using the new certificate? If you've added the new certificate to the ASA, enable this new trustpoint on the outside interface.

ssl trust-point LAB_PKI OUTSIDE