07-17-2013 11:14 AM
Hello,
I've got an ASA5505 running on version 9.0(2) and am trying to set up AnyConnect for VPN access.
When I use Secure Mobility Client and try connecting to the VPN, I get an alert saying:
Security Warning: Untrusted VPN Server Certificate! AnyConnect cannot verify the VPN server: XXX.XXX.XX.XX
Certifiate does not match the server name
Certificate is from an untrusted source.
Certificate is not identified for this purpose.
I'm using DynDNS service to register my IP address in the public domain, and that seems to be operational. Do I need to set my ASA's hostname and domain to match the DNS entry? For example, hostname xyz domain 123.net for the DNS entry xyz.123.net.
I'm also using self-signed certificates with 2048 modulus. Is this the problem? I realize it's the cause of the 'untrusted source' error, but I'm not sure about the other two.
Solved! Go to Solution.
07-17-2013 12:04 PM
Your self-signed certificate will have embedded whatever hostname and domain were in place at the time it was created. If your clients access the VPN gateway using its DNS name, the certificate should match the DNS name to avoid the "does not match" error.
The "untrusted" error can be fixed by importing the certificate into the client's trusted root CA store.
I'm not positive about the last one. Sounds like something wrong with the certificate itself - perhaps some options chosen when it was created.
07-17-2013 12:04 PM
Your self-signed certificate will have embedded whatever hostname and domain were in place at the time it was created. If your clients access the VPN gateway using its DNS name, the certificate should match the DNS name to avoid the "does not match" error.
The "untrusted" error can be fixed by importing the certificate into the client's trusted root CA store.
I'm not positive about the last one. Sounds like something wrong with the certificate itself - perhaps some options chosen when it was created.
07-17-2013 12:54 PM
First two issues have been removed. I had the CN wrong and needed to do the import..though the import was a little tricky.
The third issue still remains.. I have no idea. Could it be the 'general-keys' option that is used when creating the rsa key?
07-17-2013 01:26 PM
Alright, third issue is now gone and I can connect to the VPN.
While I was experimenting/troubleshooting before making this thread I tried using port 4443 for the webvpn settings.. I changed those back to 443 and the problems went away.
Thanks anyways for the assist, Marvin!
07-17-2013 01:29 PM
You're welcome. Thanks for the rating.
I was about to post that the configuration guideline says "You can generate a general purpose RSA key pair, used for both signing and encryption, or you can generate separate RSA key pairs for each purpose."
It can be confusing when you are changing one thing after another to get everything working as desired to be meticulous and undo every change that didn't fix things.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide