Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Secure Mobility Client assistance; Untrusted Cert issues

Hello,

I've got an ASA5505 running on version 9.0(2) and am trying to set up AnyConnect for VPN access.

When I use Secure Mobility Client and try connecting to the VPN, I get an alert saying:

Security Warning: Untrusted VPN Server Certificate!  AnyConnect cannot verify the VPN server: XXX.XXX.XX.XX

Certifiate does not match the server name

Certificate is from an untrusted source.

Certificate is not identified for this purpose.

I'm using DynDNS service to register my IP address in the public domain, and that seems to be operational. Do I need to set my ASA's hostname and domain to match the DNS entry? For example, hostname xyz domain 123.net for the DNS entry xyz.123.net.

I'm also using self-signed certificates with 2048 modulus. Is this the problem? I realize it's the cause of the 'untrusted source' error, but I'm not sure about the other two.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Secure Mobility Client assistance; Untrusted Cert issues

Your self-signed certificate will have embedded whatever hostname and domain were in place at the time it was created. If your clients access the VPN gateway using its DNS name, the certificate should match the DNS name to avoid the "does not match" error.

The "untrusted" error can be fixed by importing the certificate into the client's trusted root CA store.

I'm not positive about the last one. Sounds like something wrong with the certificate itself - perhaps some options chosen when it was created.

4 REPLIES
Hall of Fame Super Silver

Secure Mobility Client assistance; Untrusted Cert issues

Your self-signed certificate will have embedded whatever hostname and domain were in place at the time it was created. If your clients access the VPN gateway using its DNS name, the certificate should match the DNS name to avoid the "does not match" error.

The "untrusted" error can be fixed by importing the certificate into the client's trusted root CA store.

I'm not positive about the last one. Sounds like something wrong with the certificate itself - perhaps some options chosen when it was created.

New Member

Secure Mobility Client assistance; Untrusted Cert issues

First two issues have been removed. I had the CN wrong and needed to do the import..though the import was a little tricky.

The third issue still remains.. I have no idea. Could it be the 'general-keys' option that is used when creating the rsa key?

New Member

Secure Mobility Client assistance; Untrusted Cert issues

Alright, third issue is now gone and I can connect to the VPN.

While I was experimenting/troubleshooting before making this thread I tried using port 4443 for the webvpn settings.. I changed those back to 443 and the problems went away.

Thanks anyways for the assist, Marvin!

Hall of Fame Super Silver

Secure Mobility Client assistance; Untrusted Cert issues

You're welcome. Thanks for the rating.

I was about to post that the configuration guideline says "You can generate a general purpose RSA key pair, used for both signing and encryption, or you can generate separate RSA key pairs for each purpose."

It can be confusing when you are changing one thing after another to get everything working as desired to be meticulous and undo every change that didn't fix things.


2042
Views
0
Helpful
4
Replies
CreatePlease to create content