@scottalanmiller Apologies for lack of response, I simply haven't had the time to respond during the day lately, and I forget to check this site when I get home.
This issue has thankfully been resolved since posting. The MSP that installed this stuff was able to submit a ticket to Cisco, and the problem was resolved within 2 hours of doing so. This specific issue shouldn't happen again for a while since the certificates are good for 3 years I believe.
I appreciate your input though, as I have been seriously wondering if we might be better off getting rid of all the Cisco stuff that the MSP installed. Unfortunately, it seems like Cisco was their brand of choice: switches, routers, wireless APs, ASA firewalls, AnyConnect for VPN. I believe there is even an old Cisco UCS server at one location; thankfully, it looks like it is currently only used as a shelf for a Synology NAS stacked on top of a tower server laying on its side.
I believe this SD-WAN was put in place under the facade of being easier to manage and more reliable, which is the opposite of what I have experienced so far. Would it not be easier / simpler to use standard IPsec tunnels configured through functionality that exists in pretty much every decent router available today? Similarly, wouldn't it be easier / simpler to use something like Wireguard or OpenVPN instead of AnyConnect?
I'm not a fan of Cisco myself, and used to use EdgeRouter, EdgeSwitch, and UniFi hardware prior to us being acquired and "upgraded" to Cisco hardware. It was cheap, easy to manage, and reliable enough for our needs. I would love to go this route again, or use a similar brand, but I'm not sure the owners and upper management would even consider it since what we have now "works".