04-23-2020 02:43 PM
I exported my identity cert off of my existing production ASA for AnyConnect clients and imported it to my new ASA.
Without making a DNS change, but using a hosts file entry for the name, I still get a Identity warning when connecting my AnyConnect client.
When I first installed this cert on the existing prod ASA, I had several alternate DNS names added to the cert, and I changed one of them to the new firewall's outside address. That isn't working either!
The exact same 2 identity certs are on both ASA's. Any ideas?
Thank you in advance.
Solved! Go to Solution.
04-23-2020 02:50 PM
Hi,
When you imported the certificate to the trustpoint, did you enable the certificate on the outside interface. e.g.
ssl trust-point VPN_TP OUTSIDE
Is the certificate issued by a public CA?
Does the client computer trust the CA in use by the ASA?
HTH
04-23-2020 02:50 PM
Hi,
When you imported the certificate to the trustpoint, did you enable the certificate on the outside interface. e.g.
ssl trust-point VPN_TP OUTSIDE
Is the certificate issued by a public CA?
Does the client computer trust the CA in use by the ASA?
HTH
04-23-2020 08:26 PM
Inspect the certificate using a browser the the webvpn portal on the new ASA. That will usually highlight whether you are using the intended certificate and what fields (CN, SAN etc.) it is presenting to the client.
Generally speaking, either the CN or a SAN must match the FQDN the client is using.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide