Cisco ASA AnyConnect SSL VPN - Certificate Issues

dennisallen used Ask the Experts™
I have two Cisco ASA 5510’s running in an active/standby configuration.  Everything has been working correctly except SSL VPN connections through the AnyConnect client.
A SSL certificate from a third party is being used to verify these connections.  At random, clients receive the incorrect certificate from a server that is behind the firewall and has a different public IP address.  (There is a NAT to its inside address)

To sum it up, the server on the inside is an Exchange server and is being accessed for OWA.  Like I said, it has a different public IP address and a NAT, so inbound OWA traffic can pass.  For some reason, at certain times, the AnyConnect clients will pull back the SSL cert for the Exchange server rather than the SSL cert for the VPN connections.  When this happens, of course the user receives a certificate error, and is prompted to continue.

This does not happen every time.  At times, it will pull the correct SSL certificate and other times it will pull the certificate from the Exchange server.
I have another ASA that uses a separate Internet connection and doesn’t have any internal machines that have NAT’s to allow outside access.  There aren't any certificate problems for AnyConnect clients when connecting to it, so I assume it is something to do with a translation, I’m just not sure what the issue is.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Can you confirm that replication is happening correctly between the two ASAs and that they have not had a failover incident that coincided with the incorrect certificate being seen.

Can you also post a suitably sanitised copy of the config.

To sanitise the config is to use search and replace in a text editor to replace the first two octets of any external IP addresses and replace any usernames and passwords with <redacted>.

Depending on your internal network numbering, replace the first two octets of external addresses with 10.<1-255>, 192.168 or 172.16.

Please do not replace IP addresses with or similar as it then makes confirming the NAT rules and ACLs rather "difficult"...
Replication seemed to be working correctly and there had not been any failover incidents.  I forced a failover manually by rebooting the active firewall and the standby took over as expected.  Once the primary device came back up, I rebooted the secondary, as well.

After doing this, I noticed that almost all of my configuration for the AnyConnect connections had been wiped out.  I made sure to write the config to memory before rebooting, so I'm not sure what happened.  The only piece left was the group policy.

I went ahead and deleted the remaining group policy, and reconfigured the whole connection for AnyConnect connections.  After doing this, everything seems to be working perfectly fine.

Although it's working now, I'll leave this open for a few days, since the fix doesn't really provide any sort of understandable explanation.
Aaargh, I only asked you to check!

The next check was to see if the Anyconect images existed on the secondary ASA.

The Anyconnect images (the .pkg files) are not copied over as part of the replication process, so if you failover to the secondary and they do not exist...

I haven't a clue why Cisco didn't include replication of the Anyconnect images (and boot images and ASDM images) between ASAs, but c'est la vie.


That explains it.  I did not know that, but no big deal.  It wasn't that bad to reconfigure it and the problem is resolved.  Thanks for the info.


Reboot and reconfigure AnyConnect setup

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial