Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
625
Views
5
Helpful
3
Replies

UNTRUSTED VPN SERVER NOTIFICATION

ladani001
Level 1
Level 1

‎05-21-2017 03:44 AM

Hello 

there is a certificate error/notification when Anyconnect users try to connect to ASA 5525 version 9.6(1).

SSL information and Cert error are attached here.

Thank You

Yashar.

Labels:
Preview file
63 KB
Preview file
71 KB
0 Helpful
3 Replies 3

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎05-21-2017 03:56 AM

Hi,

How are you connecting to VPN. Is that via IP or hostname ?

Either way , you need to make sure that you are connecting to hostname or IP depending on to whom the certificate was issued.
Additionally, make sure the certificate containing trustpoint is applied on correct interface of VPN headend where you are connecting from the client.
e.g ssl trust-point <trustpoint name> outside

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

ladani001
Level 1
Level 1
In response to Dinesh Moudgil

‎05-21-2017 06:04 AM

Hi 

the cert is set on outgoing interface, the one VPN clients connect for authentication. certificate is issued for a domain name which is VPN server address, and same host name as in following example.

ASA hostname : b-asa.mydomain.com

Server Address: a.mydomain.com

-----------------

Cert issue to :

cn:  a.mydomain.com , status : signature

Hostname = b-asa.mydomain.com

------------------

Connection Profile > aliases = c-ssl 

and its not working as a trusted vpn.

Thank you

0 Helpful

ladani001
Level 1
Level 1
In response to ladani001

‎05-21-2017 01:55 PM

Hello All 

I could find a solution finally and fixed this issue.

I assume you have enrolled certificate for a.example.com .your cert that you applied for the interface must match the URL otherwise it won't work.

- CN=     a.example.com

- DNS/Nslookup=  a.example.com resolves to ASA_IP

- CN matches the DNS

Step 1:

make sure you the installed ' identity general ' type certificated on your machine. it wont work if you have ' self signed ' certificate.

Step 2: Follow ...

1.  Anyconnect Client profile

2.  Edit Anyconnect_Group profile

3.  Edit Server list

4. Add or Edit the hostname

5. Host display: a.exmaple.com and FQDN: a.example.com

Thank You

Yashar

0 Helpful
Customers Also Viewed These Support Documents