https://live.paloaltonetworks.com/t5/globalprotect-discussions/problem-using-new-digitally-signed-certificate/m-p/583447#M5245 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/257048">@kiwi</a>&nbsp;</P> <P>&nbsp;</P> <P>Configuration for&nbsp;<SPAN>remote2.watsons.com.ph seems to be inplace.</SPAN></P> <P>&nbsp;</P> <P><SPAN>What else can you suggest we need to check?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Please see attached picture</SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1.png" style="width: 702px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59021i81B38212476A9137/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="1.png" alt="1.png" /></span></SPAN></P> Fri, 12 Apr 2024 00:49:58 GMT NickoKristian 2024-04-12T00:49:58Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/problem-using-new-digitally-signed-certificate/m-p/582604#M5216 <P>Hi All,</P> <P>&nbsp;</P> <P>One of our client has signed and imported a new certificate. It is showing as valid.</P> <P>&nbsp;</P> <P>But when we apply necessary changes to use this certificate and try to connect. It is displaying this error</P> <P>&nbsp;</P> <P>"Connection Failed:Gateway isp2-gw: Could not verify the server certificate of the gateway. If the issue persists, contact your administrator."</P> <P>&nbsp;</P> <P>We have extracted debug logs for this and I am seeing this error.</P> <P>&nbsp;</P> <P>(P5156-T19156)Debug(3644): 04/02/24 17:15:24:568 ----Gateway Pre-login starts----<BR />(P5156-T19156)Debug(13345): 04/02/24 17:15:24:568 Check cert of server 202.57.50.146<BR />(P5156-T19156)Debug( 931): 04/02/24 17:15:24:569 SSL connecting to 202.57.50.146<BR />(P5156-T19156)Debug( 571): 04/02/24 17:15:24:574 Network is reachable<BR />(P5156-T16668)Debug( 136): 04/02/24 17:15:24:594 Wait for the ready event of hip report generated in other process.<BR />(P5156-T19156)Debug(1500): 04/02/24 17:15:25:295 Unable to verify server cert. Result is unable to get local issuer certificate <BR />(P5156-T19156)Debug(1043): 04/02/24 17:15:25:295 Hostname 202.57.50.146 doesn't matche sub alt name remote2.watsons.com.ph<BR />(P5156-T19156)Debug(1058): 04/02/24 17:15:25:295 CheckServerCertName: bFips false, validExtensionCount 1<BR />(P5156-T19156)Debug(1066): 04/02/24 17:15:25:295 Hostname 202.57.50.146 doesn't match sub alt name or no sub alt name, fallback to CN <BR />(P5156-T19156)Debug(1106): 04/02/24 17:15:25:295 Hostname 202.57.50.146 NOT match remote2.watsons.com.ph <BR />(P5156-T19156)Debug(1537): 04/02/24 17:15:25:295 OpenSSL alert write<span class="lia-unicode-emoji" title=":warning:">⚠️</span>close notify<BR />(P5156-T19156)Debug(6529): 04/02/24 17:15:25:295 pretunnel latency (manual gateway) is 513<BR />(P5156-T19156)Error(3702): 04/02/24 17:15:25:295 Failed to verify server certificate of gateway 202.57.50.146.<BR />(P5156-T19156)Debug(5851): 04/02/24 17:15:25:295 Show Gateway isp2-gw: Could not verify the server certificate of the gateway. If the issue persists, contact your administrator.<BR />(P5156-T19156)Info (2701): 04/02/24 17:15:25:295 Failed to retrieve info for gateway 202.57.50.146.<BR />(P5156-T19156)Debug(2712): 04/02/24 17:15:25:295 tunnel to 202.57.50.146 is not created.<BR />(P5156-T19156)Error(6907): 04/02/24 17:15:25:295 NetworkDiscoverThread: failed to discover external network.<BR />(P5156-T19156)Debug(7986): 04/02/24 17:15:25:295 --Set state to Disconnected<BR />(P5156-T19156)Debug(6971): 04/02/24 17:15:25:296 NetworkDiscoverThread: PortalStatus is 2, HasLoggedOnGateway is 0<BR />(P5156-T19156)Debug(6973): 04/02/24 17:15:25:296 NetworkDiscoverThread: ((PORTAL_CACHED_CONFIG == m_nPortalStatus) &amp;&amp; !m_bHasLoggedOnGateway)<BR />(P5156-T19156)Debug(6994): 04/02/24 17:15:25:296 Network discovery is not ready, set GP VPN status as disconnected<BR />(P5156-T19156)Debug(13515): 04/02/24 17:15:25:296 SetVpnStatus called with new status=0, Previous Status=0<BR />(P5156-T7096)Debug(2625): 04/02/24 17:15:25:296 Setting debug level to 5<BR />(P5156-T19156)Debug(4503): 04/02/24 17:15:25:296 UpdatePrelogonStateForSSO() - tunnel state = Disconnected<BR />(P5156-T19156)Debug(11258): 04/02/24 17:15:25:296 CPanMSService::OnVpnStatusProxyAgent: tunnel only, stop the proxy.<BR />(P5156-T20316)Debug(6101): 04/02/24 17:15:26:571 CPD, reset cp detection history<BR />(P5156-T20316)Debug(2410): 04/02/24 17:15:26:571 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.2.1-132 (Microsoft Windows 11 Pro , 64-bit).<BR />(P5156-T20316)Debug( 571): 04/02/24 17:15:27:178 Network is reachable<BR />(P5156-T20316)Debug( 149): 04/02/24 17:15:27:442 CPD, pan_http_captive_portal_detection: status is 200<BR />(P5156-T20316)Debug( 162): 04/02/24 17:15:27:442 CPD, pan_http_captive_portal_detection() - captive portal isn't detected against server.<BR />(P5156-T20316)Debug(6114): 04/02/24 17:15:27:443 CPD, index=0, iRet=-1, lastError=0<BR />(P5156-T20316)Debug(6132): 04/02/24 17:15:27:443 CPD, CaptivePortalDetectionThread: captive portal is not detected for CP server. iStatus = 200<BR />(P5156-T20316)Debug(2410): 04/02/24 17:15:27:443 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.2.1-132 (Microsoft Windows 11 Pro , 64-bit).<BR />(P5156-T20316)Debug( 571): 04/02/24 17:15:27:534 Network is reachable</P> <P>&nbsp;</P> <P>Anything Significant we can look into this?</P> <P>&nbsp;</P> <P>I am trying to look for articles similar to "Hostname 202.57.50.146 doesn't matche sub alt name remote2.watsons.com.ph" &lt;-- because I think this is the cause.</P> <P>&nbsp;</P> <P>But I cannot find any steps/guide to tshoot this.</P> <P>&nbsp;</P> <P>Need your help.</P> <P>&nbsp;</P> <P>Regards</P> <P>Nicko</P> <P>&nbsp;</P> <P><LI-PRODUCT title="GlobalProtect" id="GlobalProtect"></LI-PRODUCT>&nbsp;</P> <P>&nbsp;</P> Thu, 04 Apr 2024 06:52:09 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/problem-using-new-digitally-signed-certificate/m-p/582604#M5216 NickoKristian 2024-04-04T06:52:09Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/problem-using-new-digitally-signed-certificate/m-p/583243#M5241 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/295338">@NickoKristian</a> ,</P> <P>&nbsp;</P> <P>The error "<SPAN>Hostname </SPAN>ABC <SPAN>doesn't match sub alt name XYZ" is usually an indication that the server certificate used in the SSL/TLS profile for gateway is incorrect.</SPAN></P> <P>&nbsp;</P> <P><SPAN>I'd check the following:</SPAN></P> <P><SPAN><BR /></SPAN>Navigate to the portal settings &gt; Agent &gt; Agent config &gt; External Gateways.&nbsp;</P> <P>&nbsp;</P> <P>Verify the FQDN for the gateway, provided in the above setting is matching the CN(common name) in the certificate called in the SSL/TLS profile, in the firewall.</P> <P>&nbsp;</P> <P>Please use the appropriate certificate in the SSL/TLS profile with a CN (common name) that corresponds to the data given in the aforementioned portal settings.</P> <P>&nbsp;</P> <P>Hope this helps,</P> <P>Kim.</P> Wed, 10 Apr 2024 15:53:42 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/problem-using-new-digitally-signed-certificate/m-p/583243#M5241 kiwi 2024-04-10T15:53:42Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/problem-using-new-digitally-signed-certificate/m-p/583447#M5245 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/257048">@kiwi</a>&nbsp;</P> <P>&nbsp;</P> <P>Configuration for&nbsp;<SPAN>remote2.watsons.com.ph seems to be inplace.</SPAN></P> <P>&nbsp;</P> <P><SPAN>What else can you suggest we need to check?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Please see attached picture</SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1.png" style="width: 702px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59021i81B38212476A9137/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="1.png" alt="1.png" /></span></SPAN></P> Fri, 12 Apr 2024 00:49:58 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/problem-using-new-digitally-signed-certificate/m-p/583447#M5245 NickoKristian 2024-04-12T00:49:58Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/problem-using-new-digitally-signed-certificate/m-p/594037#M5631 <P><SPAN>&nbsp;NS Lookup to google shows it at a</SPAN></P> <P><SPAN>Name: remote2.watsons.com.ph<BR />Address: 202.57.50.146</SPAN></P> <P><SPAN>if your local endpoint cannot use DNS make this resolution, it will fail. For example If you are handing up to umbrella or some other dns filtering and the&nbsp;&nbsp;url remote2.watsons.com.ph classified as malware or some other filtered category, resolution will fail and cause a disconnect between the url and the CN/SAN in the cert. . If that is not the case, run nslookup or dig against the record on the&nbsp; local host and see if it resolves to the correct address. I suspect a DNS issue.&nbsp;</SPAN></P> <P><SPAN>Edit:&nbsp;</SPAN></P> <P><SPAN>Also make sure you are using the DNS name in the GP Portal field and not the IP address.</SPAN></P> Mon, 05 Aug 2024 20:10:28 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/problem-using-new-digitally-signed-certificate/m-p/594037#M5631 NSutfin 2024-08-05T20:10:28Z