Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Untrusted VPN Server Blocked after a reload

Hi

I have an ASA5510 in failover, after a reload, a message "Untrusted VPN Server Blocked" appears after the first attempt to connect to the VPN, if we uncheck the "Block connections to untrusted servers" in preference settings the profile is updated and the connection is successful.

If I disconnect the VPN and try again it appears another profile.

I try this step for another link, but the result is the same for me

Try the following steps,

1.  Click on Anyconnect Client profile

2.  Edit Anyconnect_Group profile

3.  Edit Server list

4. Add or Edit the hostname (You will see IP address, however, your cert is URL address ) So you have to add it or delete the IP address and keep URL )

5. Host display: Remote.exmaple.com and FQDN: Remote.example.com

** Your cert that you applied for the interface must match the URL otherwise it won't work. So you can make your Cert

(( *.example.com )) and it should match any URL you give

Does anyone knows what could be the cause of this problem?

Regards

5 REPLIES
Cisco Employee

Untrusted VPN Server Blocked after a reload

Ricardo,

it sounds like you don't have a certificate installed on the ASA, so the ASA uses a non-persistent self-signed certificate.

This doc explains how to create a persistent self-signed certificate:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

Better still would be to purchase a 'real' certificate from a 3rd party CA, the doc below has more details on how to do this:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml

hth

Herbert

New Member

Untrusted VPN Server Blocked after a reload

Thanks Herbert, the certificate was reinslalled and now is ok.

Regards

New Member

Dear Herbert,

Dear Herbert,

I have the same problem, but we bought an cert with go daddy. my problem is the message on ANY Connect. the certificate already are installed, but the message persist on client.

Cisco Employee

Hi,

Hi,

first of all can you please check the second document that I mentioned, and double-check steps 11 and 12, and maybe use the "Verify" section to double-check that everything is configured correctly.

If you still have a problem, please either open a TAC case (if you have a support contract) or post the results of the commands in the "Verify" section here (but please make sure to obscure any sensitive data in the output).

hth

Herbert

New Member

Dear Helbert,

Dear Helbert,

Speaking with other Engineer, tell me that Cisco Any connect keep the last cert, how we change this cert, the client don't recognise the new cert until to install new one.

Best Regards,

FA.

12855
Views
0
Helpful
5
Replies