Cisco IOS SSL Webvpn, Router's Self Signed Cert not taken by Anyconnect

I am a novice with certificates, and am feeling like my Self Signed certificate is not implimented correctly on the webvpn, or not generated correctly for proper authentication.  Any help is appreciated.  I would be happy if the users could accept the certificate and webvpn to either the ipv4 address, or the vpn.domain.com fqdn.

I had a working Webvpn, then we moved to a new building with a new set of IP's.  I created a new self signed certificate after not being able to VPN in, changing the CN=<WEBVPN IP ADDRESS> to the new gateway, only to not be able to connect via Anyconnect.  (I deleted the old certificate and then recreated it via "crypto pki enroll webvpn" command.

I am getting a few Security Warnings when trying to connect, saying "Certificate does not match the server name, and the Certificate is from an untrusted source".  I connect anyway, enter my username and password (which a debug webvpn aaa proves is authenticated against our AD), then I get a second Security Warning, saying "Certificate does not match the server name, and the Certificate is from an untrusted source".  I click connect anyway again, only for AnyConnect to say the certificate on the secure gateway is invalid.  A VPN connection will not be established, then "AnyConnect was not able to establish a connection to the specified gateway.  Please try connecting again".

I am attaching a few show commands hoping this will help.

Router#show run | s webvpn
crypto pki trustpoint webvpn
 enrollment selfsigned
 subject-name CN=<WEBVPN IP ADDRESS>
 revocation-check none
 rsakeypair <KEYPAIR>
crypto pki certificate chain webvpn
 certificate self-signed 09
<CERTIFICATE DATA>
        quit
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.07021-k9.pkg sequence 1
webvpn gateway gateway_1
 ip address <WEBVPN IP ADDRESS> port 443  
 http-redirect port 80
 ssl trustpoint webvpn
 inservice
 !
webvpn context SSLVPN
 secondary-color white
 title-color #CCCC66
 text-color black
 aaa authentication list VPN_Radius
 gateway gateway_1
 max-users 20
 !
 ssl authenticate verify all
 inservice
 !
 policy group policy_1
   functions svc-enabled
   timeout idle 36000
   svc address-pool "VPN_Pool" netmask 255.255.255.255
   svc default-domain "DOMAIN"
   svc keep-client-installed
   svc split include 192.168.1.0 255.255.255.0
   svc dns-server primary <DNS SERVER IP1>
   svc dns-server secondary <DNS SERVER IP2>
 default-group-policy policy_1

Open in new window


R2921#sh crypto pki trustpoint
Trustpoint webvpn:
    Subject Name: 
    hostname=<ROUTER.DOMAIN.COM>
    cn=<WEBVPN IP ADDRESS>
          Serial Number (hex): 09
    Persistent self-signed certificate trust point
    Using key label webvpn

Open in new window


R2921#show crypto pki certificate
Router Self-Signed Certificate
  Status: Available
  Certificate Serial Number (hex): 09
  Certificate Usage: General Purpose
  Issuer: 
    hostname=<ROUTER.DOMAIN.COM>
    cn=<WEBVPN IP ADDRESS>
  Subject:
    Name: <ROUTER.DOMAIN.COM>
    hostname=<ROUTER.DOMAIN.COM>
    cn=<WEBVPN IP ADDRESS>
  Validity Date: 
    start date: 17:52:45 EST Jun 22 2015
    end   date: 19:00:00 EST Dec 31 2019
  Associated Trustpoints: webvpn 

Open in new window


R2921#term mon
R2921#
000986: Jun 22 20:47:45.394 EST: WV-AAA: Nas Port ID set to <WEBVPN USER IP>.
000987: Jun 22 20:47:45.394 EST: WV-AAA: AAA authentication request sent for user: "<WEBVPN USER NAME>"AAA returned status: 2 for session 113
000988: Jun 22 20:47:45.482 EST: WV-AAA: Framed-Protocol: Processing AV
000989: Jun 22 20:47:45.482 EST: WV-AAA: service-type: Processing AV
000990: Jun 22 20:47:45.482 EST: WV-AAA: AAA Authentication Passed!
000991: Jun 22 20:47:45.482 EST: WV-AAA: User "<WEBVPN USER NAME>" has logged in from "<WEBVPN USER IP>" to gateway "gateway_1" 
             context "SSLVPN"

Open in new window

LVL 7
bill30Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

naderzCommented:
So, the only change is the certificate?

Here is a nice guide for reference:

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/904-cisco-router-anyconnect-webvpn.html

Have you tried installing the certificate on the client as well? Also, have you tried unchecking the "Block Connections from untrusted servers" on the AnyConnect client?
0
bill30Author Commented:
I have resolved this issue by taking the gateway out of inservice, deleting the trustpoint, recreating the certificate, and putting the gateway back in inservice.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bill30Author Commented:
The only other post was not helpful and did not address what I had to do to resolve the issue.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.