Re: ASA5520 VPN load balancing with nat and certificates

fashour · ‎07-09-2009

we have a senario where we utilized vpn load balancing with certificates. recently, we are having a problem where when the ssl client tries to go to the url for the virtual ip, it gets presented with the device certificate rather than the virtual lb cert and results in an error. After researching, i see that there is a related bug in that: CSCsj38269

Can someone look at the configuration attached and tell me if I am having a config issue rather than bug?

Roman Rodichev · ‎07-18-2009

you need a wildcard domain certificate (usually more expensive than normal certificates) it would look something like this...

crypto ca trustpoint BUSINESS

enrollment terminal

fqdn none

subject-name CN=*.BUSINESS.com,OU=IT,O=BUSINESS,C=US,St=State,L=City

keypair BUSINESS

crl configure

!

vpn load-balancing

redirect-fqdn enable

priority 1

cluster key BUSINESS

cluster ip address

cluster encryption

participate

!

ssl trust-point BUSINESS outside

ssl trust-point BUSINESS outside vpnlb-ip

fashour · ‎07-21-2009

My issue has been resolved by an upgrade. There is no need for wildcard cert. It was confirmed that the bug is the cause.

Roman Rodichev · ‎07-21-2009

I don't have the details of your setup, but normally in an ASA vpn load balancing environment (not ASA active/standby failover), if you want users to SSL to a DNS that resolves to the LB IP, you do need a wildcard cert. Primary LB ASA will redirect user's browser (or anyconnect) to a DNS name of one of the two ASA's. You'd need to have three separate certs or one wildcard cert.