Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FQDN name in AnyConnect client

Hi,

I was done testing my setup (everything worked) and i bought a 3rd party certificate from a commercial CA. After installing a the certificate on the ASA and adding a A-record on my domain i tried connecting the AnyConnect client with the FQDN of the ASA:

vpn01.domain.com

Everything works fine and there are no errors during the connection.

The second time i try to connect the AnyConnect client shows the following in the "Connect to:" field:

vpn01 (IPsec)

After doing the second connection i get an ssl error stating that there is a mismatch between the hostname i am connecting to and the hostname in the certificate. My thoughts is that it is using "vpn01" as the hostname for the ASA during connection.

Does anyone know why this happens and how i can get the AnyConnect client to show the FQDN in the "Connect to:" field?

If i change the text from "vpn01 (IPsec)" to "vpn01.domain.com" manually, the error is not dislayed during and everything works fine.

Best Regards,

Kenneth

5 REPLIES
Cisco Employee

FQDN name in AnyConnect client

Kenneth,

First time you connect you have not yet downloaded the profile.

Please check what values you have provided as hostname/hostaddress in profile.

Typically  you can remove the profile and re-try connection.

ANyconnect stores profile here:

Alos the name could have been already pushed to local preferences, it might not be upated (staright away) even if profile is :-)

Marcin

New Member

FQDN name in AnyConnect client

Hi Marcin :-)

I realized that the client profile was downloaded from the ASA during the connection. I downloaded the "VPN_Client_Profile.xml file from the ASA and had a look at it in an editor:

The xml file on the ASA has "vpn01 (IPsec)" in the "HostName" section above. I tried to delete all ssl certificates on the ASA, i revoked my 3rd party certificate and did everything all over again. I deleted the xml file and the connection profile and set up a new one. The certificate i am using when creating the connection profile is the 3rd party certificate and it does not contain the hostname "vpn01" only the FQDN "vpn01.domain.com".

I guess i am trying to find out where the ASA gets the "HostName" value from when creating the profile. I read an article that said the box has an internal certificate wich changes at every boot, perhaps this certificate is used during the creation of the xml file, but i am really guessing here.

I can only see 1 certificate on the box, and that is the valid one. Where the "vpn01" hostname gets from i don't know.

is it possible to change the internal certificate (if there is such a thing) so it will use my 3rd party certificate for all services?

Kenneth

Cisco Employee

FQDN name in AnyConnect client

Kenneth,

I don't have a AC installed here, but.

  should have value of "vpn01.domain.com" not "vpn01 (IPsec)"

Ditch the HostAddress - you don't need it normally.

check(AFAIR) preferences_global ... file, you might need to remove it (change name).

Marcin

New Member

FQDN name in AnyConnect client

Don't know if i quite got your point Mr Marcin :-), but i:

Uninstalled the AnyConnect client

Deleted all files and folders under:

C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\

And

C:\Users\MyUsername\AppData\Local\Cisco\Cisco AnyConnect VPN Client\

Downloaded the "connection_profile_called_something.xml" file from the ASA, changed "vpn01 (IPsec)" to "vpn01.domain.com" in notepad and uploaded the file again.

Everything works fine now, i have verified this with another client machine who had the problem.

I dont know wich one of the above that did the trick.

Another strange thing is that the:

C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile\connection_profile_called_something.xml file still has the following entry:

vpn01 (IPsec)

On change i noticed though that was different earlier is that the preference.xml file now contains this information:

(C:\Users\MyUsername\AppData\Local\Cisco\Cisco AnyConnect VPN Client\preferences.xml)

vpn01.domain.com My Connection Profile Name

Earlier it had a "vpn01 (ipsec)" entry wich is gone now.

Things are finally ready for production!

Have a grat weekend Marcin, and thank you for replying

K

Cisco Employee

FQDN name in AnyConnect client

K,

Glad it's working. :-)

I'm keeping to my side of the story, hostname should ba DNS name to avoid problems.

You should edit the certificate on the ASA where it's downloaded from to avoid problems on new machines.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac13vpnxmlref.html

That's at least my experience. If it works for you, I'm happy :-)

Marcin

1746
Views
0
Helpful
5
Replies
CreatePlease to create content