GP Certificate CN Mismatch issue when adding on more new Global Protect Gateway/Portal

sisayfe — Sat, 26 Mar 2022 08:40:32 GMT

I have two PA-820 operating in Active/Passive HA mode. The WAN set up is a dual ISP connection to a single ISP which are configured using BGP. I was adding a new Global Protect Gateway and portal that is segregated from the existing one to connect separate group of users. Separate domain name and public IP with standalone SSL Certificate created for each on LetsEncrypt. The Palo Alto model is PA820 in HA Active-Passive mode. Its is connected through two leased-lines to a single ISP. So previously the working GP was aa.test.com with public IP of 1.2.3.4, and the new domain name is bb.test.com with an public IP configured as 5.6.7.8. Totally segregated. Although everything is set up by the book, we are having a certificate error whenever someone tries to connect to the new GP bb.test.com . The certificate error is happening with certificate of the old GP aa.test.com being applied on to bb.test.com . This is delaying the clients who are waiting to connect through the new portal/GW.
The things I have checked before coming to this forum,
1. I have used a FQDN when configuring the Agent>External Gateway and the correct GP certificate is applied on their respective GP Portal/Gateway

2. The Interface IP is static so I have not used loopback IP, correct me if I am wrong here that I need to use a dummy loopback IP instead of the interface IP while the interface IPs are statically set.
3. The configuration for the GP portal/GW is correct and there is no configuration mix up/overlap between the two GW/Portals set up.

4. Separate public IP is used for each and different FQDN as well.

5. Separate Cert is created using letsencrypt and uploaded on the CertMgmt>Certificate.

6. Separate tunnel is created and each tunnel is used for each GW/Portal(the new and the old one).
Brief recap of the issue:
Here is a quick recap of our session:
=================================
- The issue is with a newly configured Global Protect
- The issue which you are facing is that the newly configured gp configuration is taking an old certificate.
- The portal URL for Old is aa.test.com , and the New one is bb.test.com
- The error that I am getting on client's pc is that The certificate CN name mismatch. The certificate is not issued to bb.test.com.
- The certificate profile and GP configuration has been verified with PA Support Engineer too.

You kind support is appreciated, please.

topic GP Certificate CN Mismatch issue when adding on more new Global Protect Gateway/Portal in GlobalProtect Discussions

GP Certificate CN Mismatch issue when adding on more new Global Protect Gateway/Portal