Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5500 Certificates for IPsec vpn remote access?


We're using ASA5500 as remote access vpn concentrators.

I've built an infrastructure with two HA pops on different ip addresses and a shared license server with 5000 AnyConnect licenses.

Up to now we have been using the old IPsec vpn client and it works faultlessly.

Obviously we need to plan migration to the AnyConnect client, and this is where I have hit one or two issues and have some questions..

1. Early stage client authentication requires a certificate installed on the ASA.

    Now you can self generate, but with our corporate policy I have to use a Verisign cert.

    I notice that the certs are not automatically replicated in a HA pair, so fair enough I need to fail-over and install on the active ASA.

    Can I use the same certificae on all ASA's?

    Even though they have different IP addresses on each pop?

2. I have AnyConnect connecting succesfully on one of the pops ... no problems.

   But on the alternate pop we get through user authentication ok, then the client decides to disconnect. There are no logs on either the ASA or the client

   to indicate any error for this disconnection ... only "client disconnects". Any suggestions what the problem could be?

3. We intend to use the posture module to check of V-scan and Intrusion-protection (McAffee Enterprise).

    When I enable the posture checking on the ASA the client fails to connect, the client reports the posture module has failed.

    I'm wondering if McAfee or an AD policy is preventing the modeule from running or completing ... is this something anyone has come across?

    If I were to challenge the McAffee / AD teams, what would I ask them to permit on the client machines?

Just a couple of questions ... hopefully someone can tell me I've done something daft and point me in the right direction :-)

CreatePlease login to create content