Cisco ASA AnyConnect SSL VPN - Certificate Issues
I have two Cisco ASA 5510’s running in an active/standby configuration. Everything has been working correctly except SSL VPN connections through the AnyConnect client.
A SSL certificate from a third party is being used to verify these connections. At random, clients receive the incorrect certificate from a server that is behind the firewall and has a different public IP address. (There is a NAT to its inside address)
To sum it up, the server on the inside is an Exchange server and is being accessed for OWA. Like I said, it has a different public IP address and a NAT, so inbound OWA traffic can pass. For some reason, at certain times, the AnyConnect clients will pull back the SSL cert for the Exchange server rather than the SSL cert for the VPN connections. When this happens, of course the user receives a certificate error, and is prompted to continue.
This does not happen every time. At times, it will pull the correct SSL certificate and other times it will pull the certificate from the Exchange server.
I have another ASA that uses a separate Internet connection and doesn’t have any internal machines that have NAT’s to allow outside access. There aren't any certificate problems for AnyConnect clients when connecting to it, so I assume it is something to do with a translation, I’m just not sure what the issue is.
A SSL certificate from a third party is being used to verify these connections. At random, clients receive the incorrect certificate from a server that is behind the firewall and has a different public IP address. (There is a NAT to its inside address)
To sum it up, the server on the inside is an Exchange server and is being accessed for OWA. Like I said, it has a different public IP address and a NAT, so inbound OWA traffic can pass. For some reason, at certain times, the AnyConnect clients will pull back the SSL cert for the Exchange server rather than the SSL cert for the VPN connections. When this happens, of course the user receives a certificate error, and is prompted to continue.
This does not happen every time. At times, it will pull the correct SSL certificate and other times it will pull the certificate from the Exchange server.
I have another ASA that uses a separate Internet connection and doesn’t have any internal machines that have NAT’s to allow outside access. There aren't any certificate problems for AnyConnect clients when connecting to it, so I assume it is something to do with a translation, I’m just not sure what the issue is.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That explains it. I did not know that, but no big deal. It wasn't that bad to reconfigure it and the problem is resolved. Thanks for the info.
ASKER
Reboot and reconfigure AnyConnect setup
Can you also post a suitably sanitised copy of the config.
To sanitise the config is to use search and replace in a text editor to replace the first two octets of any external IP addresses and replace any usernames and passwords with <redacted>.
Depending on your internal network numbering, replace the first two octets of external addresses with 10.<1-255>, 192.168 or 172.16.
Please do not replace IP addresses with xxx.xxx.xxx.xxx or similar as it then makes confirming the NAT rules and ACLs rather "difficult"...