Avatar of dennisallen
dennisallen
Flag for United States of America asked on

Cisco ASA AnyConnect SSL VPN - Certificate Issues

I have two Cisco ASA 5510’s running in an active/standby configuration.  Everything has been working correctly except SSL VPN connections through the AnyConnect client.
 
A SSL certificate from a third party is being used to verify these connections.  At random, clients receive the incorrect certificate from a server that is behind the firewall and has a different public IP address.  (There is a NAT to its inside address)

To sum it up, the server on the inside is an Exchange server and is being accessed for OWA.  Like I said, it has a different public IP address and a NAT, so inbound OWA traffic can pass.  For some reason, at certain times, the AnyConnect clients will pull back the SSL cert for the Exchange server rather than the SSL cert for the VPN connections.  When this happens, of course the user receives a certificate error, and is prompted to continue.

This does not happen every time.  At times, it will pull the correct SSL certificate and other times it will pull the certificate from the Exchange server.
 
I have another ASA that uses a separate Internet connection and doesn’t have any internal machines that have NAT’s to allow outside access.  There aren't any certificate problems for AnyConnect clients when connecting to it, so I assume it is something to do with a translation, I’m just not sure what the issue is.
CiscoVPNHardware Firewalls

Avatar of undefined
Last Comment
dennisallen

8/22/2022 - Mon
ArneLovius

Can you confirm that replication is happening correctly between the two ASAs and that they have not had a failover incident that coincided with the incorrect certificate being seen.

Can you also post a suitably sanitised copy of the config.

To sanitise the config is to use search and replace in a text editor to replace the first two octets of any external IP addresses and replace any usernames and passwords with <redacted>.

Depending on your internal network numbering, replace the first two octets of external addresses with 10.<1-255>, 192.168 or 172.16.

Please do not replace IP addresses with xxx.xxx.xxx.xxx or similar as it then makes confirming the NAT rules and ACLs rather "difficult"...
ASKER CERTIFIED SOLUTION
dennisallen

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
dennisallen

ASKER
That explains it.  I did not know that, but no big deal.  It wasn't that bad to reconfigure it and the problem is resolved.  Thanks for the info.
dennisallen

ASKER
Reboot and reconfigure AnyConnect setup
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck