Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3295
Views
0
Helpful
4
Replies

Secure Mobility Client assistance; Untrusted Cert issues

Go to solution
jpeterson6
Level 2
Level 2

‎07-17-2013 11:14 AM

Hello,

I've got an ASA5505 running on version 9.0(2) and am trying to set up AnyConnect for VPN access.

When I use Secure Mobility Client and try connecting to the VPN, I get an alert saying:

Security Warning: Untrusted VPN Server Certificate!  AnyConnect cannot verify the VPN server: XXX.XXX.XX.XX

Certifiate does not match the server name

Certificate is from an untrusted source.

Certificate is not identified for this purpose.

I'm using DynDNS service to register my IP address in the public domain, and that seems to be operational. Do I need to set my ASA's hostname and domain to match the DNS entry? For example, hostname xyz domain 123.net for the DNS entry xyz.123.net.

I'm also using self-signed certificates with 2048 modulus. Is this the problem? I realize it's the cause of the 'untrusted source' error, but I'm not sure about the other two.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-17-2013 12:04 PM

Your self-signed certificate will have embedded whatever hostname and domain were in place at the time it was created. If your clients access the VPN gateway using its DNS name, the certificate should match the DNS name to avoid the "does not match" error.

The "untrusted" error can be fixed by importing the certificate into the client's trusted root CA store.

I'm not positive about the last one. Sounds like something wrong with the certificate itself - perhaps some options chosen when it was created.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-17-2013 12:04 PM

Your self-signed certificate will have embedded whatever hostname and domain were in place at the time it was created. If your clients access the VPN gateway using its DNS name, the certificate should match the DNS name to avoid the "does not match" error.

The "untrusted" error can be fixed by importing the certificate into the client's trusted root CA store.

I'm not positive about the last one. Sounds like something wrong with the certificate itself - perhaps some options chosen when it was created.

0 Helpful

Go to solution
jpeterson6
Level 2
Level 2
In response to Marvin Rhoads

‎07-17-2013 12:54 PM

First two issues have been removed. I had the CN wrong and needed to do the import..though the import was a little tricky.

The third issue still remains.. I have no idea. Could it be the 'general-keys' option that is used when creating the rsa key?

0 Helpful

Go to solution
jpeterson6
Level 2
Level 2
In response to jpeterson6

‎07-17-2013 01:26 PM

Alright, third issue is now gone and I can connect to the VPN.

While I was experimenting/troubleshooting before making this thread I tried using port 4443 for the webvpn settings.. I changed those back to 443 and the problems went away.

Thanks anyways for the assist, Marvin!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jpeterson6

‎07-17-2013 01:29 PM

You're welcome. Thanks for the rating.

I was about to post that the configuration guideline says "You can generate a general purpose RSA key pair, used for both signing and encryption, or you can generate separate RSA key pairs for each purpose."

It can be confusing when you are changing one thing after another to get everything working as desired to be meticulous and undo every change that didn't fix things.


0 Helpful
Customers Also Viewed These Support Documents