Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
741
Views
5
Helpful
6
Replies

FTD Anyconnect not match the server name

LuoJunZhi4816
Level 1
Level 1

‎07-03-2022 08:44 PM

How to write the certificate which can be use by two FTD (HA pair)?

 

After I set up the anyconnect setting on FMC VPN(remote access),  PC can now successfully access the FTD's Outside interface and get the IP addrsee from IP pool.  But it keeps showing the alarm "Certificate does not match the server name" .

 

Cisco guide shows only one FTD in the lab topology so they only have one FQDN. 

Should I name both of my FTD with same FQDN or what can I do to clear this alarm.

 

 

 

 

 

Labels:
Preview file
69 KB
Preview file
234 KB
0 Helpful
6 Replies 6

marce1000
VIP
VIP

‎07-03-2022 11:08 PM

 

 - Check this thread : https://community.cisco.com/t5/vpn/anyconnect-quot-certificate-does-not-match-the-server-name-quot/td-p/3996987

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

LuoJunZhi4816
Level 1
Level 1
In response to marce1000

‎07-03-2022 11:31 PM

Hi @marce1000 ,

 

I have checked this post before I set up the Anyconnect cert enrollment , I also tried it on my lab (which only has one FTD) and it worked without any alarms .  But in a real scenario we have two FTD and each of it has its own FQDN .

 

0 Helpful

Aref Alsouqi
VIP
VIP

‎07-04-2022 01:33 AM - edited ‎07-04-2022 01:34 AM

The custom FQDN and the CN values in the certificate enrolment parameters should match the FQDN you use on the AnyConnect clients to connect to the VPN which would be the same as the FQDN you assigned on the HA pair. That FQDN should resolve to the floating IP address of the outside interface of the HA pair.

0 Helpful

LuoJunZhi4816
Level 1
Level 1
In response to Aref Alsouqi

‎07-05-2022 07:17 PM

Hi @Aref Alsouqi ,

 

Here is the guide I follow https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/213905-configure-anyconnect-vpn-on-ftd-using-ci.html

 

I think maybe I should name both FTD in same hostname,so that they'll only have one FQDN to be use to fill in certificate enrolment parameters (Custom FQDN ) and (Common Name).

 

 

Tip: you can get the FQDN of your FTD by typing the following command from the FTD CLI:

> show network
===============[ System Information ]===============
Hostname : ciscofp3.cisco.com
Domains : cisco
DNS Servers : 192.168.1.20
Management port : 8305
IPv4 Default route
Gateway : 192.168.1.1
 
======================[ br1 ]=======================
State : Enabled
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 00:0C:29:4F:AC:71
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.1.2
Netmask : 255.255.255.0 

  

0 Helpful

Aref Alsouqi
VIP
VIP

‎07-06-2022 01:28 AM

Hi, I think what you can do in this case would be using an FQDN that is not related to the firewalls names and then point the DNS records to the firewalls floating IP address of the outside interface.

LuoJunZhi4816
Level 1
Level 1
In response to Aref Alsouqi

‎07-10-2022 08:31 PM

Hi @Aref Alsouqi ,

Thank you for your help! Now the server name mismatch alarm isn't show up anymore .

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents