I was done testing my setup (everything worked) and i bought a 3rd party certificate from a commercial CA. After installing a the certificate on the ASA and adding a A-record on my domain i tried connecting the AnyConnect client with the FQDN of the ASA:
Everything works fine and there are no errors during the connection.
The second time i try to connect the AnyConnect client shows the following in the "Connect to:" field:
After doing the second connection i get an ssl error stating that there is a mismatch between the hostname i am connecting to and the hostname in the certificate. My thoughts is that it is using "vpn01" as the hostname for the ASA during connection.
Does anyone know why this happens and how i can get the AnyConnect client to show the FQDN in the "Connect to:" field?
If i change the text from "vpn01 (IPsec)" to "vpn01.domain.com" manually, the error is not dislayed during and everything works fine.
I realized that the client profile was downloaded from the ASA during the connection. I downloaded the "VPN_Client_Profile.xml file from the ASA and had a look at it in an editor:
The xml file on the ASA has "vpn01 (IPsec)" in the "HostName" section above. I tried to delete all ssl certificates on the ASA, i revoked my 3rd party certificate and did everything all over again. I deleted the xml file and the connection profile and set up a new one. The certificate i am using when creating the connection profile is the 3rd party certificate and it does not contain the hostname "vpn01" only the FQDN "vpn01.domain.com".
I guess i am trying to find out where the ASA gets the "HostName" value from when creating the profile. I read an article that said the box has an internal certificate wich changes at every boot, perhaps this certificate is used during the creation of the xml file, but i am really guessing here.
I can only see 1 certificate on the box, and that is the valid one. Where the "vpn01" hostname gets from i don't know.
is it possible to change the internal certificate (if there is such a thing) so it will use my 3rd party certificate for all services?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :