I have two Cisco ASA 5510’s running in an active/standby configuration. Everything has been working correctly except SSL VPN connections through the AnyConnect client.
A SSL certificate from a third party is being used to verify these connections. At random, clients receive the incorrect certificate from a server that is behind the firewall and has a different public IP address. (There is a NAT to its inside address)
To sum it up, the server on the inside is an Exchange server and is being accessed for OWA. Like I said, it has a different public IP address and a NAT, so inbound OWA traffic can pass. For some reason, at certain times, the AnyConnect clients will pull back the SSL cert for the Exchange server rather than the SSL cert for the VPN connections. When this happens, of course the user receives a certificate error, and is prompted to continue.
This does not happen every time. At times, it will pull the correct SSL certificate and other times it will pull the certificate from the Exchange server.
I have another ASA that uses a separate Internet connection and doesn’t have any internal machines that have NAT’s to allow outside access. There aren't any certificate problems for AnyConnect clients when connecting to it, so I assume it is something to do with a translation, I’m just not sure what the issue is.