ASA5520 VPN load balancing with nat and certificates

Unanswered Question
Jul 9th, 2009

we have a senario where we utilized vpn load balancing with certificates. recently, we are having a problem where when the ssl client tries to go to the url for the virtual ip, it gets presented with the device certificate rather than the virtual lb cert and results in an error. After researching, i see that there is a related bug in that: CSCsj38269

Can someone look at the configuration attached and tell me if I am having a config issue rather than bug?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Roman Rodichev Sat, 07/18/2009 - 22:04

you need a wildcard domain certificate (usually more expensive than normal certificates) it would look something like this...

crypto ca trustpoint BUSINESS

enrollment terminal

fqdn none

subject-name CN=*,OU=IT,O=BUSINESS,C=US,St=State,L=City

keypair BUSINESS

crl configure


vpn load-balancing

redirect-fqdn enable

priority 1

cluster key BUSINESS

cluster ip address

cluster encryption



ssl trust-point BUSINESS outside

ssl trust-point BUSINESS outside vpnlb-ip

fashour Tue, 07/21/2009 - 07:34

My issue has been resolved by an upgrade. There is no need for wildcard cert. It was confirmed that the bug is the cause.

Roman Rodichev Tue, 07/21/2009 - 07:37

I don't have the details of your setup, but normally in an ASA vpn load balancing environment (not ASA active/standby failover), if you want users to SSL to a DNS that resolves to the LB IP, you do need a wildcard cert. Primary LB ASA will redirect user's browser (or anyconnect) to a DNS name of one of the two ASA's. You'd need to have three separate certs or one wildcard cert.


This Discussion