Cisco AnyConnect Secure Mobility Client selecting wrong certificate at startup
I have a problem that is driving me nuts.
Here is the pertinent information first...
Cisco AnyConnect SecureMobility Client 3.0.4235
Cisco ASA 5510 firewall 8.2
The problem is..
...When I log in, the client does its start-up bit, and then displays a "This certificate is intended for the following purpose(s):" message. If I decline the certificate, it gives me the error message shown in the image, but I can otherwise continue and establish my VPNs with no problem.
Unfortunately, the certificate it selects has nothing to do with my organization ( in fact, the certificate is for "*.whitepages.com" - see images). To make matters worse, I can not find this referenced certificate anywhere under my user context in Windows.
I have tried removing, rebooting, and re-installing - it does no good.
How do I force the client to stop using this incorrect certificate, and to at least use one that belongs to my organization?
I have the same issue, al;most exactly - the only difference is that I am using version 2.5.3055 of the AnyConnect client.
When I try to connect to my VPN, I get the same *.whitepages.com certificate coming up, and whether I accept, decline or cancel, I am unable to connect. I CAN connect if I access my VPN using the webvpn link.
Hopefully someone finds a solution for this, because i have a lot of users that connect to my VPN.
The issue does not seem to be with the user certificate, it seems to be with the site certificate. When I open the AnyConnect client, I have it set to ask which certificate to use. I select my certificate, but it is after that point where the error occurs, as if my ASA is sending out the *.whitepages.com certificate.
I have not made any changes to my certificates since February, and this issue only began on May 4th.
The *.whitepages certificate has come back. It still only happens when I try to connect to my gateway by FQDN. If I use IP address, I don't have this problem. I have not been able to find any other peson who is experiencing this issue, but it's strange that we would both be having the problem with the same certificate name.
I have almost the exact same issue. What I think happens is that the anyconnect client list the certificates that are in the user certificate store of the Windows 7 machine. Unfortunately it does display the already installed user certificate from the ASA. I got around this issue by adding Certificate Matching to my client Profile. I used the ISSUER-CN for matching. And now it works smoothly.
I've come across this issue also. I've put in values for Certificate Matching BUT it only applies AFTER the first login attempt. So the first login attempt, it will use the wrong cert, user logs out, then on the second login attempt it reads the newly downloaded connection profile, identifies the certificate matching value, and then denys the login unless the proper certificate is in place.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...