Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

anyconnect vpn client v 2.5.1025 certificate warning

I get the message "A secure connection with this site cannot be verified. Would you like to proceed?  The certificate you are viewing does not match the name of the site you are trying to view. "  when I open up Anyconnect client.  I press yes to proceed and all is well but is there anyway to avoid this message.  Thanks in advance.

16 REPLIES
Cisco Employee

anyconnect vpn client v 2.5.1025 certificate warning

Hi Frank,

In theory it could mean that someone is intercepting your DNS requests and redirecting you to another SSL gateway than the one you think you connect to.

In practice it usually means that you are connecting to e.g. "vpn.mycompany.com" but the certificate on the gateway does not have that name in it's Subject or Alternate Subject fields.

So to avoid the message (and more importantly, to make sure you connect to the legitimate gateway), either connect to the name that is present in the certificate, or on the ASA replace the certificate with one that has the right name.

Let me know if you want to go in more detail.

hth

Herbert

Community Member

anyconnect vpn client v 2.5.1025 certificate warning

I am having this same issue. Would you mind going a little deeper or pointing me in the direction on getting this resolved?

anyconnect vpn client v 2.5.1025 certificate warning

Hi Frank,

To do so, could you please provide the "show run ssl", "show run crypto ca trustpoint" and "show crypto ca certificate"?

Thanks.

Portu.

Community Member

anyconnect vpn client v 2.5.1025 certificate warning

The sho run ssl gave nothing back. Here are the others.

BHAddison5520# show run crypto ca trustpoint

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=BHAddison5520

proxy-ldc-issuer

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

fqdn vpn.behringerharvard.com

subject-name CN=vpn.behringerharvard.com,OU=Employees,O=Behringer Harvard Holdings LLC,C=US,St=Texas,L=Addison

keypair vpn

crl configure

crypto ca trustpoint ASDM_TrustPoint2

enrollment terminal

crl configure

crypto ca trustpoint thought

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint3

enrollment self

fqdn vpn.behringerharvard.com

subject-name CN=vpn.behringerharvard.com

keypair vpn

crl configure

crypto ca trustpoint ASDM_TrustPoint4

enrollment terminal

crl configure

BHAddison5520# show crypto ca certificate

Certificate

  Status: Available

  Certificate Serial Number: 0e1a3750

  Certificate Usage: General Purpose

  Public Key Type: RSA (2048 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    hostname=vpn.behringerharvard.com

    cn=vpn.behringerharvard.com

  Subject Name:

    hostname=vpn.behringerharvard.com

    cn=vpn.behringerharvard.com

  Validity Date:

    start date: 12:31:18 CDT Sep 20 2012

    end   date: 12:31:18 CDT Sep 18 2022

  Associated Trustpoints: ASDM_TrustPoint3

Certificate

  Status: Available

  Certificate Serial Number: c7f0894f

  Certificate Usage: Signature

  Public Key Type: RSA (1024 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    hostname=BHAddison5520.bh.com

    cn=BHAddison5520

  Subject Name:

    hostname=BHAddison5520.bh.com

    cn=BHAddison5520

  Validity Date:

    start date: 09:09:12 CDT Apr 17 2012

    end   date: 09:09:12 CDT Apr 15 2022

  Associated Trustpoints: ASDM_TrustPoint0

Certificate

  Subject Name:

    Name: vpn.behringerharvard.com

  Status: Pending terminal enrollment

  Key Usage: General Purpose

  Fingerprint:  270eaebd bce7a557 4f128bae b45deaa6

  Associated Trustpoint: ASDM_TrustPoint1

BHAddison5520#

anyconnect vpn client v 2.5.1025 certificate warning

Hi,

Please add the following command:

ssl trustpoint ASDM_TrustPoint3 outside

Test again and let me know.

Thanks.

Community Member

anyconnect vpn client v 2.5.1025 certificate warning

It didnot like the Trustpoint3. It looks like the CN for the cert being sent by the ASA is for the IP of the ASA not the name.

Community Member

anyconnect vpn client v 2.5.1025 certificate warning

I am not sure if someone changed something since the last time I posted but here is the sh run outpits again

BHAddison5520# sh run ssl

ssl trust-point ASDM_TrustPoint1 outside

BHAddison5520# sh run crypto ca trustpoint

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=BHAddison5520

proxy-ldc-issuer

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

fqdn vpn.behringerharvard.com

subject-name CN=vpn.behringerharvard.com,OU=Employees,O=Behringer Harvard Holdings LLC,C=US,St=Texas,L=Addison

keypair vpn

crl configure

crypto ca trustpoint ASDM_TrustPoint2

enrollment terminal

crl configure

crypto ca trustpoint thought

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint4

enrollment terminal

crl configure

BHAddison5520#

BHAddison5520# sh crypto ca certificate

Certificate

  Status: Available

  Certificate Serial Number: c7f0894f

  Certificate Usage: Signature

  Public Key Type: RSA (1024 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    hostname=BHAddison5520.bh.com

    cn=BHAddison5520

  Subject Name:

    hostname=BHAddison5520.bh.com

    cn=BHAddison5520

  Validity Date:

    start date: 09:09:12 CDT Apr 17 2012

    end   date: 09:09:12 CDT Apr 15 2022

  Associated Trustpoints: ASDM_TrustPoint0

Certificate

  Subject Name:

    Name: vpn.behringerharvard.com

  Status: Pending terminal enrollment

  Key Usage: General Purpose

  Fingerprint:  270eaebd bce7a557 4f128bae b45deaa6

  Associated Trustpoint: ASDM_TrustPoint1

BHAddison5520#

anyconnect vpn client v 2.5.1025 certificate warning

It looks like the ssl trustpoint got stuck.

Could you please remove the "ssl trust-point ASDM_TrustPoint1 outside" command?

Is there any chance to reload the ASA?

Thanks.

Community Member

anyconnect vpn client v 2.5.1025 certificate warning

We will not be able to reload, this is a high-production system. I will take out the trustpoint and see what we get.

Community Member

anyconnect vpn client v 2.5.1025 certificate warning

That did not work. When I look at the certificate being sent from the ASA it has the Internal IP Address of the ASA not the name. I also see this when I look at the certificate,

This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.

anyconnect vpn client v 2.5.1025 certificate warning

Hi,

It looks like the old certificate got stuck, that is the reason why I suggested the reboot.

So, you did not reboot it?

Thanks.

Cisco Employee

anyconnect vpn client v 2.5.1025 certificate warning

FWIW I agree that "ssl trustpoint ASDM_TrustPoint3 outside" should solve this problem.

When you say it did not like that, what do you mean exactly? Did you get an error?

Assuming trustpoint1 is not used, can you try to remove it altogether?

As for the untrusted root error - you will either have to get a "public" certififcate from a trusted 3rd party CA (Verisign, Godaddy, etc.) OR you will need to import the ASA's self signed certificate into the trusted root store on each client.

hth

Herbert

Community Member

anyconnect vpn client v 2.5.1025 certificate warning

OK, I am starting over here. I have got the Trustpoint3 setup properly it looks like. Here is the output from the show commands again.

BHAddison5520# sh run ssl

ssl trust-point ASDM_TrustPoint3 outside

BHAddison5520# sh run crypto ca trustpoint

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=BHAddison5520

proxy-ldc-issuer

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

fqdn vpn.behringerharvard.com

subject-name CN=vpn.behringerharvard.com,OU=Employees,O=Behringer Harvard Holdings LLC,C=US,St=Texas,L=Addison

keypair vpn

crl configure

crypto ca trustpoint ASDM_TrustPoint2

enrollment terminal

crl configure

crypto ca trustpoint thought

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint4

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint3

enrollment self

fqdn vpn.behringerharvard.com

subject-name CN=vpn.behringerharvard.com

keypair vpn

proxy-ldc-issuer

crl configure

crypto ca trustpoint ASDM_TrustPoint5

enrollment terminal

subject-name CN=vpn.behringerharvard.com,O=Behringer Harvard Holdings LLC,C=US

keypair vpn

crl configure

BHAddison5520# sh crypto certifi

BHAddison5520# sh crypto ca cert

BHAddison5520# sh crypto ca certificates

Certificate

  Status: Available

  Certificate Serial Number: 0f1a3750

  Certificate Usage: Signature

  Public Key Type: RSA (2048 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    hostname=vpn.behringerharvard.com

    cn=vpn.behringerharvard.com

  Subject Name:

    hostname=vpn.behringerharvard.com

    cn=vpn.behringerharvard.com

  Validity Date:

    start date: 10:13:08 CDT Sep 24 2012

    end   date: 10:13:08 CDT Sep 22 2022

  Associated Trustpoints: ASDM_TrustPoint3

Certificate

  Status: Available

  Certificate Serial Number: c7f0894f

  Certificate Usage: Signature

  Public Key Type: RSA (1024 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    hostname=BHAddison5520.bh.com

    cn=BHAddison5520

  Subject Name:

    hostname=BHAddison5520.bh.com

    cn=BHAddison5520

  Validity Date:

    start date: 09:09:12 CDT Apr 17 2012

    end   date: 09:09:12 CDT Apr 15 2022

  Associated Trustpoints: ASDM_TrustPoint0

Certificate

  Subject Name:

    Name: vpn.behringerharvard.com

  Status: Pending terminal enrollment

  Key Usage: General Purpose

  Fingerprint:  270eaebd bce7a557 4f128bae b45deaa6

  Associated Trustpoint: ASDM_TrustPoint1

Certificate

  Subject Name:

    Name: BHAddison5520.bh.com

  Status: Pending terminal enrollment

  Key Usage: General Purpose

  Fingerprint:  eb5145d7 082ce963 011d7547 79adbbee

  Associated Trustpoint: ASDM_TrustPoint5

When I connect the certficate that is being served to the clients has the outside IP on it for the CN, instead of the one I have issued for the name vpn.behringerharvard.com.

anyconnect vpn client v 2.5.1025 certificate warning

Hi,

Please do the following:

1- no ssl trustpoint ASDM_TrustPoint3 outside

2- webvpn

     no enable outside

     exit

3- ssl trustpoint ASDM_TrustPoint3 outside

4- webpvn

     enable outside

Let me know.

Thanks.

Portu.

2220
Views
20
Helpful
16
Replies
CreatePlease to create content