Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
763
Views
0
Helpful
2
Replies

secure client vpn no longer trusted

zietgiestt
Level 1
Level 1

‎08-27-2025 07:58 AM

Hello,

ASA HA failover pair running 9.16482

ASDM v. 7.20(2)

secure client 5.0 updating to 5.1.10 w/ umbrella mod

I am rolling out the umbrella mod to secure client for roaming umbrella coverage off net due to an incident that happened recently.

I was going to force a secure client update via my ASA so I copied the install to the firewall but then the We decided to use intune to push it out since not all my users VPN in on a regular basis. Never changed the secure client software on the ASA. we started with a test group of 6 laptops just to test the umbrella mod before rolling out to the whole company.

later that day it was then reported to me by many of my users (not in the test group), that there was a strange entry in the secure client as a vpn connection. Secure client defaulted to this entry. This was a server in my domain, but it was my NPS server used for MFA verification during vpn login.

I replaced the entry with my actual vpn connection server (vpn.domain.com) in: config>network client access>secure client profile>(edit) server list, and the entry is now gone, however, now every connection is warned that they are connecting to an untrusted site and must choose to connect anyway to proceed to login.

I have a valid signed wildcard cert that has been in place since Feb 2,2025 updated annually

checked it and it is certainly still valid until Feb 1, 2026.

 

I thought I would just replace it with the same cert as a if I was installing a new cert and now my trustpoint has 2 entries...TP14 (original) and TP15 (new). I update this cert every year and this has never happened. Adding a new cert always adds a single new associated trustpoint.

Questions are;

1) how do I get the trustpoint back to a single entry? Just delete it completely and add a new one using the same valid wildcard cert expiring in Feb 2026?

2) any idea why after changing the server listed in the secure client profile would cause my cert to not validate the connection, like it aways has been doing ?

 

output from ASA (truncated):

ASA-PRI# sh cry ca certificates
Certificate
Status: Available

Validity Date:
start date: 18:00:00 CST Feb 23 2025
end date: 17:59:59 CST Feb 1 2026
Storage: config
Associated Trustpoints: ASDM_TrustPoint15 ASDM_TrustPoint14

 

 

 ASDM shows the outside interface is using both trustpoints 15 & 14, but CLI only shows it using  14

ASA-PRI# sh run all ssl
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl dh-group group14
ssl ecdh-group group19
ssl trust-point ASDM_TrustPoint14 outside
ssl certificate-authentication fca-timeout 2

 

Thanks 
D

 

 

Labels:
0 Helpful
2 Replies 2

zietgiestt
Level 1
Level 1

‎08-27-2025 09:16 AM - edited ‎08-27-2025 09:17 AM

I just went ahead and removed the dual trustpoint from my outside interface, deleted it from identity certs and created a new one using the same valid wildcard cert. my trustpoints look normal now with only a single cert associated to it, but I'm still getting the untrusted site error upon login. 

I browsed to the site and checked the cert and it is valid

zietgiestt_0-1756311135001.png

But I'm still getting this warning

 

zietgiestt_2-1756311336238.png

 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to zietgiestt

‎09-01-2025 02:50 PM

Did you get answer?

MHM

0 Helpful
Customers Also Viewed These Support Documents