02-28-2012 05:48 AM - edited 02-21-2020 05:54 PM
I have a problem that is driving me nuts.
Here is the pertinent information first...
Windows 7
Cisco AnyConnect SecureMobility Client 3.0.4235
Cisco ASA 5510 firewall 8.2
The problem is..
...When I log in, the client does its start-up bit, and then displays a "This certificate is intended for the following purpose(s):" message. If I decline the certificate, it gives me the error message shown in the image, but I can otherwise continue and establish my VPNs with no problem.
Unfortunately, the certificate it selects has nothing to do with my organization ( in fact, the certificate is for "*.whitepages.com" - see images). To make matters worse, I can not find this referenced certificate anywhere under my user context in Windows.
I have tried removing, rebooting, and re-installing - it does no good.
How do I force the client to stop using this incorrect certificate, and to at least use one that belongs to my organization?
Thank you,
Charles
05-04-2012 09:54 AM
I have the same issue, al;most exactly - the only difference is that I am using version 2.5.3055 of the AnyConnect client.
When I try to connect to my VPN, I get the same *.whitepages.com certificate coming up, and whether I accept, decline or cancel, I am unable to connect. I CAN connect if I access my VPN using the webvpn link.
Hopefully someone finds a solution for this, because i have a lot of users that connect to my VPN.
Thanks,
05-06-2012 08:03 AM
Try editing the profile to look for the cert you want. I have mine looking for certs with a certain ou.
05-07-2012 07:11 AM
The issue does not seem to be with the user certificate, it seems to be with the site certificate. When I open the AnyConnect client, I have it set to ask which certificate to use. I select my certificate, but it is after that point where the error occurs, as if my ASA is sending out the *.whitepages.com certificate.
I have not made any changes to my certificates since February, and this issue only began on May 4th.
05-07-2012 07:59 AM
After some more troubleshooting today, I tried a few more steops, and have been successful:
1) I removed my device certificate from the interfaces it was assigned to
2) I completely rebuilt my AnyConnect profile .xml file, and assigned it to the relevant group
3) I reenabled the device certificate on my interfaces.
Once thatw as done, my connections are working properly, and the issue with the *.whitepages.com certificate are gone.
I hope this hels someone else, because this drove me crazy for a few days.
Thanks,
Jason
05-08-2012 05:09 AM
Another update to this issue:
The *.whitepages certificate has come back. It still only happens when I try to connect to my gateway by FQDN. If I use IP address, I don't have this problem. I have not been able to find any other peson who is experiencing this issue, but it's strange that we would both be having the problem with the same certificate name.
07-15-2012 04:09 AM
Win7 32bit
Client 3.0.08057
ASA5510 8.4(4)1
I have almost the exact same issue. What I think happens is that the anyconnect client list the certificates that are in the user certificate store of the Windows 7 machine. Unfortunately it does display the already installed user certificate from the ASA. I got around this issue by adding Certificate Matching to my client Profile. I used the ISSUER-CN for matching. And now it works smoothly.
08-09-2012 08:11 AM
I've come across this issue also. I've put in values for Certificate Matching BUT it only applies AFTER the first login attempt. So the first login attempt, it will use the wrong cert, user logs out, then on the second login attempt it reads the newly downloaded connection profile, identifies the certificate matching value, and then denys the login unless the proper certificate is in place.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide