https://live.paloaltonetworks.com/t5/next-generation-firewall/subject-globalprotect-connection-issue-after-ssl-tls-certificate/m-p/1235235#M6147 <P data-start="162" data-end="173">Hello Team,</P> <P data-start="175" data-end="358">We’re currently experiencing an issue where GlobalProtect is not accessible after renewing the server certificate associated with the SSL/TLS profile used by our GlobalProtect portal.</P> <P data-start="360" data-end="518"><STRONG data-start="360" data-end="378">Error message:</STRONG><BR data-start="378" data-end="381" /><EM data-start="381" data-end="518">GlobalProtect: Connection Failed. The network is unreachable or the portal is unresponsive. Check the network connection and reconnect.</EM></P> <P data-start="520" data-end="603">The portal is also not loading in a web browser, returning a <CODE data-start="581" data-end="596">ERR_TIMED_OUT</CODE> error.</P> <P data-start="605" data-end="628"><STRONG data-start="605" data-end="628">Additional details:</STRONG></P> <UL data-start="629" data-end="973"> <LI data-start="629" data-end="716"> <P data-start="631" data-end="716">We confirmed that traffic is reaching the firewall and hitting the correct interface.</P> </LI> <LI data-start="717" data-end="856"> <P data-start="719" data-end="856">We have two portals configured on different interfaces. The second portal (which still uses the old certificate) is functioning normally.</P> </LI> <LI data-start="857" data-end="940"> <P data-start="859" data-end="940">We’ve already restarted <CODE data-start="883" data-end="891">sslmgr</CODE>, <CODE data-start="893" data-end="912">sslvpn-web-server</CODE>, and the management server.</P> </LI> <LI data-start="941" data-end="973"> <P data-start="943" data-end="973">PAN-OS version: <STRONG data-start="959" data-end="973">11.1.4-h13</STRONG></P> </LI> </UL> <P data-start="975" data-end="1100">Has anyone encountered a similar issue after a certificate renewal? Any suggestions or insights would be greatly appreciated.</P> <P data-start="1102" data-end="1112">Thank you!</P> Fri, 01 Aug 2025 22:18:34 GMT Jagdeep1 2025-08-01T22:18:34Z https://live.paloaltonetworks.com/t5/next-generation-firewall/subject-globalprotect-connection-issue-after-ssl-tls-certificate/m-p/1235235#M6147 <P data-start="162" data-end="173">Hello Team,</P> <P data-start="175" data-end="358">We’re currently experiencing an issue where GlobalProtect is not accessible after renewing the server certificate associated with the SSL/TLS profile used by our GlobalProtect portal.</P> <P data-start="360" data-end="518"><STRONG data-start="360" data-end="378">Error message:</STRONG><BR data-start="378" data-end="381" /><EM data-start="381" data-end="518">GlobalProtect: Connection Failed. The network is unreachable or the portal is unresponsive. Check the network connection and reconnect.</EM></P> <P data-start="520" data-end="603">The portal is also not loading in a web browser, returning a <CODE data-start="581" data-end="596">ERR_TIMED_OUT</CODE> error.</P> <P data-start="605" data-end="628"><STRONG data-start="605" data-end="628">Additional details:</STRONG></P> <UL data-start="629" data-end="973"> <LI data-start="629" data-end="716"> <P data-start="631" data-end="716">We confirmed that traffic is reaching the firewall and hitting the correct interface.</P> </LI> <LI data-start="717" data-end="856"> <P data-start="719" data-end="856">We have two portals configured on different interfaces. The second portal (which still uses the old certificate) is functioning normally.</P> </LI> <LI data-start="857" data-end="940"> <P data-start="859" data-end="940">We’ve already restarted <CODE data-start="883" data-end="891">sslmgr</CODE>, <CODE data-start="893" data-end="912">sslvpn-web-server</CODE>, and the management server.</P> </LI> <LI data-start="941" data-end="973"> <P data-start="943" data-end="973">PAN-OS version: <STRONG data-start="959" data-end="973">11.1.4-h13</STRONG></P> </LI> </UL> <P data-start="975" data-end="1100">Has anyone encountered a similar issue after a certificate renewal? Any suggestions or insights would be greatly appreciated.</P> <P data-start="1102" data-end="1112">Thank you!</P> Fri, 01 Aug 2025 22:18:34 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/subject-globalprotect-connection-issue-after-ssl-tls-certificate/m-p/1235235#M6147 Jagdeep1 2025-08-01T22:18:34Z https://live.paloaltonetworks.com/t5/next-generation-firewall/subject-globalprotect-connection-issue-after-ssl-tls-certificate/m-p/1235251#M6148 <P>I've seen this issue before. The fact that the other portal works points directly to the new certificate or its configuration on the affected portal. The <CODE>ERR_TIMED_OUT</CODE> error is likely a symptom of a failed SSL handshake.</P> <P>Here's a quick checklist to troubleshoot:</P> <OL start="1"> <LI> <P>Certificate Chain:</P> <UL> <LI> <P>Confirm the new certificate and its intermediate CAs are all correctly installed and linked. A missing intermediate cert is the most common cause.</P> </LI> </UL> </LI> <LI> <P>SSL/TLS Profile:</P> <UL> <LI> <P>Verify the new certificate is correctly assigned in the SSL/TLS Profile for that portal.</P> </LI> <LI> <P>Check for any restrictive TLS versions or cipher suites in the profile.</P> </LI> </UL> </LI> <LI> <P>Logs and Packet Capture:</P> <UL> <LI> <P>Review the firewall's system, GlobalProtect, and <CODE>sslvpn-web-server</CODE> logs for specific errors.</P> </LI> <LI> <P>Run a packet capture on the external interface to see where the SSL handshake is failing.</P> </LI> </UL> </LI> </OL> <P>This issue is almost always a certificate or profile misconfiguration. Let's start by methodically checking those first.</P> Sun, 03 Aug 2025 17:19:15 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/subject-globalprotect-connection-issue-after-ssl-tls-certificate/m-p/1235251#M6148 Mudhireddy 2025-08-03T17:19:15Z