03-05-2012 10:44 AM - edited 02-21-2020 05:56 PM
I get the message "A secure connection with this site cannot be verified. Would you like to proceed? The certificate you are viewing does not match the name of the site you are trying to view. " when I open up Anyconnect client. I press yes to proceed and all is well but is there anyway to avoid this message. Thanks in advance.
03-09-2012 01:00 AM
Hi Frank,
In theory it could mean that someone is intercepting your DNS requests and redirecting you to another SSL gateway than the one you think you connect to.
In practice it usually means that you are connecting to e.g. "vpn.mycompany.com" but the certificate on the gateway does not have that name in it's Subject or Alternate Subject fields.
So to avoid the message (and more importantly, to make sure you connect to the legitimate gateway), either connect to the name that is present in the certificate, or on the ASA replace the certificate with one that has the right name.
Let me know if you want to go in more detail.
hth
Herbert
09-21-2012 06:24 AM
I am having this same issue. Would you mind going a little deeper or pointing me in the direction on getting this resolved?
09-21-2012 06:50 AM
Hi Frank,
To do so, could you please provide the "show run ssl", "show run crypto ca trustpoint" and "show crypto ca certificate"?
Thanks.
Portu.
09-21-2012 07:00 AM
The sho run ssl gave nothing back. Here are the others.
BHAddison5520# show run crypto ca trustpoint
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=BHAddison5520
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
fqdn vpn.behringerharvard.com
subject-name CN=vpn.behringerharvard.com,OU=Employees,O=Behringer Harvard Holdings LLC,C=US,St=Texas,L=Addison
keypair vpn
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpoint thought
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment self
fqdn vpn.behringerharvard.com
subject-name CN=vpn.behringerharvard.com
keypair vpn
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment terminal
crl configure
BHAddison5520# show crypto ca certificate
Certificate
Status: Available
Certificate Serial Number: 0e1a3750
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
hostname=vpn.behringerharvard.com
cn=vpn.behringerharvard.com
Subject Name:
hostname=vpn.behringerharvard.com
cn=vpn.behringerharvard.com
Validity Date:
start date: 12:31:18 CDT Sep 20 2012
end date: 12:31:18 CDT Sep 18 2022
Associated Trustpoints: ASDM_TrustPoint3
Certificate
Status: Available
Certificate Serial Number: c7f0894f
Certificate Usage: Signature
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
hostname=BHAddison5520.bh.com
cn=BHAddison5520
Subject Name:
hostname=BHAddison5520.bh.com
cn=BHAddison5520
Validity Date:
start date: 09:09:12 CDT Apr 17 2012
end date: 09:09:12 CDT Apr 15 2022
Associated Trustpoints: ASDM_TrustPoint0
Certificate
Subject Name:
Name: vpn.behringerharvard.com
Status: Pending terminal enrollment
Key Usage: General Purpose
Fingerprint: 270eaebd bce7a557 4f128bae b45deaa6
Associated Trustpoint: ASDM_TrustPoint1
BHAddison5520#
09-21-2012 07:33 AM
Hi,
Please add the following command:
ssl trustpoint ASDM_TrustPoint3 outside
Test again and let me know.
Thanks.
09-21-2012 10:47 AM
It didnot like the Trustpoint3. It looks like the CN for the cert being sent by the ASA is for the IP of the ASA not the name.
09-21-2012 10:52 AM
I am not sure if someone changed something since the last time I posted but here is the sh run outpits again
BHAddison5520# sh run ssl
ssl trust-point ASDM_TrustPoint1 outside
BHAddison5520# sh run crypto ca trustpoint
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=BHAddison5520
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
fqdn vpn.behringerharvard.com
subject-name CN=vpn.behringerharvard.com,OU=Employees,O=Behringer Harvard Holdings LLC,C=US,St=Texas,L=Addison
keypair vpn
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpoint thought
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment terminal
crl configure
BHAddison5520#
BHAddison5520# sh crypto ca certificate
Certificate
Status: Available
Certificate Serial Number: c7f0894f
Certificate Usage: Signature
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
hostname=BHAddison5520.bh.com
cn=BHAddison5520
Subject Name:
hostname=BHAddison5520.bh.com
cn=BHAddison5520
Validity Date:
start date: 09:09:12 CDT Apr 17 2012
end date: 09:09:12 CDT Apr 15 2022
Associated Trustpoints: ASDM_TrustPoint0
Certificate
Subject Name:
Name: vpn.behringerharvard.com
Status: Pending terminal enrollment
Key Usage: General Purpose
Fingerprint: 270eaebd bce7a557 4f128bae b45deaa6
Associated Trustpoint: ASDM_TrustPoint1
BHAddison5520#
09-21-2012 11:19 AM
It looks like the ssl trustpoint got stuck.
Could you please remove the "ssl trust-point ASDM_TrustPoint1 outside" command?
Is there any chance to reload the ASA?
Thanks.
09-24-2012 07:07 AM
We will not be able to reload, this is a high-production system. I will take out the trustpoint and see what we get.
09-24-2012 07:11 AM
That did not work. When I look at the certificate being sent from the ASA it has the Internal IP Address of the ASA not the name. I also see this when I look at the certificate,
This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.
09-24-2012 07:25 AM
Hi,
It looks like the old certificate got stuck, that is the reason why I suggested the reboot.
So, you did not reboot it?
Thanks.
09-24-2012 07:41 AM
FWIW I agree that "ssl trustpoint ASDM_TrustPoint3 outside" should solve this problem.
When you say it did not like that, what do you mean exactly? Did you get an error?
Assuming trustpoint1 is not used, can you try to remove it altogether?
As for the untrusted root error - you will either have to get a "public" certififcate from a trusted 3rd party CA (Verisign, Godaddy, etc.) OR you will need to import the ASA's self signed certificate into the trusted root store on each client.
hth
Herbert
09-24-2012 08:33 AM
OK, I am starting over here. I have got the Trustpoint3 setup properly it looks like. Here is the output from the show commands again.
BHAddison5520# sh run ssl
ssl trust-point ASDM_TrustPoint3 outside
BHAddison5520# sh run crypto ca trustpoint
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=BHAddison5520
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
fqdn vpn.behringerharvard.com
subject-name CN=vpn.behringerharvard.com,OU=Employees,O=Behringer Harvard Holdings LLC,C=US,St=Texas,L=Addison
keypair vpn
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpoint thought
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment self
fqdn vpn.behringerharvard.com
subject-name CN=vpn.behringerharvard.com
keypair vpn
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint5
enrollment terminal
subject-name CN=vpn.behringerharvard.com,O=Behringer Harvard Holdings LLC,C=US
keypair vpn
crl configure
BHAddison5520# sh crypto certifi
BHAddison5520# sh crypto ca cert
BHAddison5520# sh crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 0f1a3750
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
hostname=vpn.behringerharvard.com
cn=vpn.behringerharvard.com
Subject Name:
hostname=vpn.behringerharvard.com
cn=vpn.behringerharvard.com
Validity Date:
start date: 10:13:08 CDT Sep 24 2012
end date: 10:13:08 CDT Sep 22 2022
Associated Trustpoints: ASDM_TrustPoint3
Certificate
Status: Available
Certificate Serial Number: c7f0894f
Certificate Usage: Signature
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
hostname=BHAddison5520.bh.com
cn=BHAddison5520
Subject Name:
hostname=BHAddison5520.bh.com
cn=BHAddison5520
Validity Date:
start date: 09:09:12 CDT Apr 17 2012
end date: 09:09:12 CDT Apr 15 2022
Associated Trustpoints: ASDM_TrustPoint0
Certificate
Subject Name:
Name: vpn.behringerharvard.com
Status: Pending terminal enrollment
Key Usage: General Purpose
Fingerprint: 270eaebd bce7a557 4f128bae b45deaa6
Associated Trustpoint: ASDM_TrustPoint1
Certificate
Subject Name:
Name: BHAddison5520.bh.com
Status: Pending terminal enrollment
Key Usage: General Purpose
Fingerprint: eb5145d7 082ce963 011d7547 79adbbee
Associated Trustpoint: ASDM_TrustPoint5
When I connect the certficate that is being served to the clients has the outside IP on it for the CN, instead of the one I have issued for the name vpn.behringerharvard.com.
09-24-2012 08:40 AM
Hi,
Please do the following:
1- no ssl trustpoint ASDM_TrustPoint3 outside
2- webvpn
no enable outside
exit
3- ssl trustpoint ASDM_TrustPoint3 outside
4- webpvn
enable outside
Let me know.
Thanks.
Portu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide