Cisco ASA AnyConnect SSL VPN - Certificate Issues
I have two Cisco ASA 5510’s running in an active/standby configuration. Everything has been working correctly except SSL VPN connections through the AnyConnect client.
A SSL certificate from a third party is being used to verify these connections. At random, clients receive the incorrect certificate from a server that is behind the firewall and has a different public IP address. (There is a NAT to its inside address)
To sum it up, the server on the inside is an Exchange server and is being accessed for OWA. Like I said, it has a different public IP address and a NAT, so inbound OWA traffic can pass. For some reason, at certain times, the AnyConnect clients will pull back the SSL cert for the Exchange server rather than the SSL cert for the VPN connections. When this happens, of course the user receives a certificate error, and is prompted to continue.
This does not happen every time. At times, it will pull the correct SSL certificate and other times it will pull the certificate from the Exchange server.
I have another ASA that uses a separate Internet connection and doesn’t have any internal machines that have NAT’s to allow outside access. There aren't any certificate problems for AnyConnect clients when connecting to it, so I assume it is something to do with a translation, I’m just not sure what the issue is.
A SSL certificate from a third party is being used to verify these connections. At random, clients receive the incorrect certificate from a server that is behind the firewall and has a different public IP address. (There is a NAT to its inside address)
To sum it up, the server on the inside is an Exchange server and is being accessed for OWA. Like I said, it has a different public IP address and a NAT, so inbound OWA traffic can pass. For some reason, at certain times, the AnyConnect clients will pull back the SSL cert for the Exchange server rather than the SSL cert for the VPN connections. When this happens, of course the user receives a certificate error, and is prompted to continue.
This does not happen every time. At times, it will pull the correct SSL certificate and other times it will pull the certificate from the Exchange server.
I have another ASA that uses a separate Internet connection and doesn’t have any internal machines that have NAT’s to allow outside access. There aren't any certificate problems for AnyConnect clients when connecting to it, so I assume it is something to do with a translation, I’m just not sure what the issue is.
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
That explains it. I did not know that, but no big deal. It wasn't that bad to reconfigure it and the problem is resolved. Thanks for the info.
ASKER
Reboot and reconfigure AnyConnect setup
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
Can you also post a suitably sanitised copy of the config.
To sanitise the config is to use search and replace in a text editor to replace the first two octets of any external IP addresses and replace any usernames and passwords with <redacted>.
Depending on your internal network numbering, replace the first two octets of external addresses with 10.<1-255>, 192.168 or 172.16.
Please do not replace IP addresses with xxx.xxx.xxx.xxx or similar as it then makes confirming the NAT rules and ACLs rather "difficult"...