Are you asking about a client certificate or an ASA certificate?
By default, the AnyConnect client connecting to an ASA validates the ASA's identity by checking the certificate that the firewall presents. There is a checkbox in the AnyConnect client settings to "Block connections to Untrusted servers". It is checked by default. When that box is checked, the client will not connect to an ASA with a self-signed certificate (that has not been imported in the client's trusted certificate store). You can either uncheck the box (if allowed by policy - not generally recommended as it then allows all certificates), import the ASA certificate into your trusted store, or get a certificate signed by a trusted root CA (public or otherwise).
Client certificates (if used) must also be issued by a certificate authority recognized by the ASA. I've not seen people use self-signed client certificates in a production environment as they have little backing validating them.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...