Global Protect - "A valid client certificate is required for authentication" but works correctly for X days after PA restart

DavePalo — Mon, 07 Nov 2022 23:55:53 GMT

Hi all,

Just putting this out there to see if anybody else has had similar issues. If you have, I would really appreciate you letting me know please!

Palo Alto PA-820 - HA (active/passive) - PanOS 9.1.5

For several months we have had intermittent problems with Global Protect rejecting client certificates when our users try to connect to one of our HA pairs of Palo Altos. Things work fine for several days, then we see just the occasional rejection, but usually within 24 hours of the first rejection, all client certificates are rejected by Global Protect.

If we fail over to the HA peer, client certificates are accepted again for several days until the same thing happens and we need to fail back. Reboot, Repeat.

This issue first appeared when we were running PanOS 8.1 and has remained following an upgrade to 9.1.

We have several pairs of Palo Alto devices running PanOS 9.1 configured in the same way (although different models) and none of the others have suffered from this problem. These all use the same client certificates / CAs and the Global Protect configuration is identical.

Some more relevant info:

Both certificate and credentials (AD / SAML) are required to connect to Global Protect.
CRLs are used and we have confirmed that valid CRLs are present at the time of the issue (we use 2 CAs).
Restarting the sslvpn-web-server process does not help.
Recent issues such as DP/MP time sync have been eliminated.

We have had a case open with Palo Alto support since August but little progress has been made. The tech support file does not seem to contain any clues. Additional debug level logs have been provided too but have not proved useful so far.

If you have had similar issues or have any suggestions for things to check while Palo Alto are reviewing my uploads, it would be really appreciated.

Thank you,

Dave

Re: Global Protect - "A valid client certificate is required for authentication" but works correctly for X days after PA restart

BPry — Tue, 08 Nov 2022 01:24:38 GMT

@DavePalo,

I ran into this exact same issue a while backchat wasn't being solved by software and just got to be extremely annoying more than anything else. I eventually just reinstalled from maintenance mode on the two HA hosts and restored the configuration. That actually fixed it and I haven't had any issues with those two hosts since. Never did actually figure out what was causing the issue, but that thankfully fixed it.

Re: Global Protect - "A valid client certificate is required for authentication" but works correctly for X days after PA restart

DavePalo — Tue, 08 Nov 2022 15:07:00 GMT

Thank you @BPry ,

It is good to hear that somebody else has seen this issue before - it's not just me!

If support are unable to find the issue soon I will try reinstalling as you did. Thanks for the tip!

Best regards,

Dave

topic Re: Global Protect - "A valid client certificate is required for authentication" but works correctly for X days after PA restart in General Topics

Global Protect - "A valid client certificate is required for authentication" but works correctly for X days after PA restart

Re: Global Protect - "A valid client certificate is required for authentication" but works correctly for X days after PA restart

Re: Global Protect - "A valid client certificate is required for authentication" but works correctly for X days after PA restart