Anyconnect Always-on and certificate validation error
Hey guys. Hope that somebody have some input on this.
The customer uses AnyConnect Always-on. There is a public SSL certificate installed on the outside interface. They have machine certificates on their PCs. I have installed a identity certificate for the ASA, issued from the customers internal certificat server. The connection profile is setup to valided the clients certificates and user credentials
When they connect they get the following error: No valid certificates available for authentication. (AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network). If I change the certificate located on outside interface to the certificate issued by their internal certificate server, then there is no problems validate the certificate. The problem is for those who now uses SSL clientless VPN, they will start getting certificate error because the internal certificate is not public known.
If I do not enable Alwayson, and the public certificate is on the ourside interface, it can valided the clients certificats fine. But if I enable alwayson again, it can not valided the client certificates, exepted if I chooses to put the private certificate on the outside interface???
My question is quit simple :-), is it not possible to have a public certicate on the outside interface, and still be able to valided client certificate issued from an internal certificate server when running anyconnect Alwayson??
Buy the way we are running: ASA 9.1(2)8 Anyconnect 3.1.04066-k9 on windows machines?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :