Cisco AnyConnect+custom certifictae

CiscoAnyconnect
Here to help

Cisco AnyConnect+custom certifictae

Hi

 

Has anyone created custom certificate in MX with Let's encrypt for Cisco Anyconnect?

Does Meraki support it?

 

 

 

24 REPLIES 24
PhilipDAth
Kind of a big deal

You can't use LetsEncrypt.  You'll need to generate a CSR on the MX, take that to your certificate authority, get it signed, and then come back and install it.  Repeat every year.

 

99% of AnyConnect users on MX (that I have seen) use the provided automated TLS certificates using the DDNS name that the MX generates.

 

You can create a profile to put into AnyConnect to display your company name instead so users don't even have to know the DDNS names.  I have an online tool that can create these profiles.

https://www.ifm.net.nz/cookbooks/online-anyconnect-profile-editor.html 

I understand but using profile doesn't help my scenario. 

Since I've four MXs on four different countries with users  who are traveling a lot ,I am using Azure traffic manager(DNS load balance) to select  the nearest MX.

 

Dynamic cert doesn't work with my load balance name and users get trust warning message which is not a good sign for them.

 

I've also created different profiles with AnyConnect profile editor and tried to enable OGC but it doesn't work as it. It just select the first VPN in the list.

 

That's why I am thinking about custom certificates.

>Since I've four MXs on four different countries with users  who are traveling a lot ,I am using Azure traffic manager(DNS load balance) to select  the nearest MX.

 

You know this capability is already built into AnyConnect - to select the nearest VPN head end to the user?  It is called "Optimal Gateway Selection".

https://community.cisco.com/t5/security-knowledge-base/anyconnect-optimal-gateway-selection-operatio... 

 

Basically, in the profile, you need to add the below in the ClientInitialization section.

		<EnableAutomaticServerSelection UserControllable="false">true
			<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
			<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
		</EnableAutomaticServerSelection>

 

> It just select the first VPN in the list.

 

I'm guessing that is because the first option in the list is the VPN head end closest to you ...

I'm in Sweden and I have UK and SE VPN in my list  but it selects UK!

 

I'm a little confusing with backup servers setting in profile editor.

 

I can add backup servers under Server list and there is separately another Backup servers menu.

I assume the issue is there!

 

With OGS you just list the servers "normally".  You don't need to use backup servers for your use case.

 

AnyConnect decides which VPN head end to use based on the HTTPS response time.  Perhaps you could use a tool to measure the response time to each.

After several attempts it works now but OGS doesn't recognize one of VPN servers.

 

We have 4 VPN servers but I can see just 3 servers in logs:

CiscoAnyconnect_0-1673944688917.png

 

I've tried to troubleshoot it then found we have packet loss when I'm pinging the WAN.

It means AnyConnect try to calculate RTT by sending the requests to each VPN servers but since we have PL on one one them ,AnyConnect just ignoring it and using it's cache for the next time.

But When I try to connect it manually(disable OGS) it works fine!

 

The question is, can w just disable that cache somehow?

 

I'm not aware of any way to disable the cache.

 

Chances are, if you were closer to the VPN head end losing packets - you wouldn't be losing packets anymore.

yes, correct but 14 days cache is not acceptable, I think. 

Think if there is just one PL and AnyConnect ignore that VPN server, so the client connects to another VPN server which is not enough close and must run with lower speed/performance for 14 days.


@CiscoAnyconnect wrote:

I understand but using profile doesn't help my scenario. 

Since I've four MXs on four different countries with users  who are traveling a lot ,I am using Azure traffic manager(DNS load balance) to select  the nearest MX.

 

Dynamic cert doesn't work with my load balance name and users get trust warning message which is not a good sign for them.

 

I've also created different profiles with AnyConnect profile editor and tried to enable OGC but it doesn't work as it. It just select the first VPN in the list.

 

That's why I am thinking about custom certificates.


If you choose to maintain the Azure DNS load balancing, I'd also be curious to learn more details about the Dynamic cert trust issues you're having - there may be solutions there we can pursue.

But it's impossible to run with Dynamic cert and Azure traffic manager, you need to run with custom certificates and purchase SSL certificates for each MX/VPN.

What I'm not clear on is *why* dynamic certs won't work - is there anything you can do to elaborate on why?

Well,

Dynamic certs work but when I want to use DNS load balance like Azure traffic manager, clients get warning error message. 

 

If your clients are connecting to the Azure manager, and then being redirected to an MX, it sounds to me like they're getting a warning that the name on the initial cert doesn't match that of where they're ultimately getting redirected to.

If that's true, have you considered doing something like creating a cert with an SAN that covers all of the devices you're load-balancing to? https://support.dnsimple.com/articles/what-is-ssl-san/#san-restrictions

Depending on growth and scale here, it might be feasible.

PhilipDAth
Kind of a big deal

A little bit outside of my area; but I believe Azure Traffic Manager is just a DNS load balancing service, returning the nearest IP address of the service to the user.

 

So if you connect to vpn.company.com, it will return the IP address of the nearest MX.  If the MX is configured to use its dynamic DNS name and certificate, it expects a connection to xxx.dynamic-m.com.

However, AnyConnect thinks it is connecting to vpn.company.com, so a certificate issue is created.

 

If you want to use Azure Traffic Manager then you will need to load a custom certificate onto each MX that matches the original DNS name that AnyConnect is told to connect to.  You will also have to manage the process of rolling these certificates each time they get close to expiry.  A process prone to failure because humans don't tend to be good at managing this process.

That is why the easier option is to use the AnyConnect Optimal Gateway Selection feature, and have it do everything automatically.  You don't have to touch any certificates, nothing.  It will keep working year after year without you having to do anything.

 

 

Totally agree with custom certificate and renewing it.....

 

But when I enable Optimal Gateway Selection feature, there is a cache problem with that.

 

Scenario:

We have

VPN A

VPN B

VPN C

VPN D

 

When users want to connect with AnyConnect, OGS calculate RTT by sending request to http port 443 and choose the best result.

Think we have

RTT VPN A 233

RTT VPN B 134

RTT VPB C 335

RTTVPN D 421

 

It will automatically connect the user to VPN B and cache it for some days, so next time OGS doesn't calculate again and client has to connect to previous VPN!

 

I have users in Canada connect to VPN UK by OGS but they can manually(disable Automatic VPN) connect to Canada without any problem. It can be a request time out causing it but AnyConnect cache will continue connect users to UK for several days.

 

 

So we can not use DNS load balance with dynamic certs, we cannot use AnyConnect profile with OGs enabled because of cache issue. The only solution is to purchase SSL certs for every MX and renew it every year which is expensive for us with 8 MX(main and spare).

You could create a startup task that deletes the global_preferences.xml file to stop the caching.

I did it manually, same result.

Seems there is another cache file or another setting somewhere else.

 

 

 

Since we need to create CSR file from MX then we cannot just purchase a SAN cert for all of our 8 MX .

We need to buy SSL cert for each MX. 

Apologies for being obtuse here, but you wouldn't be able to purchase a SAN cert for Azure to use that contains the DDNs names of each MX?

I.e. CN=vpn.companyname.com

 

SAN DNS:mxddns1, DNS:mxddns2, ... DNS:mxddnsN

PhilipDAth
Kind of a big deal

Each MX will need its own certificate - each with exactly the same DNS name - vpn.company.com.

 

Azure Traffic Manager is just returning the IP address of the MX to connect to, using the vpn.company.com DNS name.

Correct, We have to create the CSR file from each MX.

I see, so there isn't a way to have it load balance to a range of hostnames. That's the detail I was missing here.

CiscoAnyconnect
Here to help

.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels