GlobalProtect reports a "Client Certificate Error" but still connects

NinthShot — Mon, 16 Mar 2015 15:15:00 GMT

Hello-

I'm running a PA-500 on with GlobalProtect for VPN access. Just recently our users started experiencing an issue wherein they try to connect and receive a "Client Certificate Error" error dialog. However, after they click OK to close the dialog, the agent connects anyway. I investigated the issue myself and found what follows below. Note that I initiated the connection at around 19:24 and closed it at around 19:33.

Environment:

Firewall OS: 5.0.14

GlobalProtect Client: 1.2.5-2

User OS: Windows 7 (all our users are Win 7, so I can't determine whether this is OS-specific)

The exported PanGPA log reports this at the time of making the connection:

(T4860) 03/15/15 19:24:39:713 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED

(T4860) 03/15/15 19:24:39:900 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED

(T2844) 03/15/15 19:24:48:683 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED

(T4328) 03/15/15 19:24:49:354 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED

(T3180) 03/15/15 19:24:57:154 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED

The exported PanGPS log reports this (I've removed IP addresses):

(T2080) 03/15/15 12:13:26:571 Error( 80): Failed to open sub key 'Software\Palo Alto Networks\VPN Agent\PanSetup'

(T2176) 03/15/15 19:24:39:619 Error( 95): SSL connect failed (error:00000001:lib(0):func(0):reason(1))

(T2176) 03/15/15 19:24:39:619 Error( 141): connect() failed

(T2176) 03/15/15 19:24:39:619 Error(7805): Protocol error. Check server certificate. Failed to ssl connect to '<Portal IP>:443', Disconect ssl and returns false.

(T2176) 03/15/15 19:24:45:891 Error(12151): pre-login error message: GlobalProtect portal does not exist

(T2176) 03/15/15 19:24:45:891 Error(8298): pan_obj_get_value() failed with tag client-cert. Returns false.

(T2176) 03/15/15 19:24:45:891 Error(11000): Failed to export client cert.

(T4256) 03/15/15 19:24:45:984 Error( 95): SSL connect failed (error:00000001:lib(0):func(0):reason(1))

(T4256) 03/15/15 19:24:45:984 Error( 141): connect() failed

(T4256) 03/15/15 19:24:45:984 Error(7805): Protocol error. Check server certificate. Failed to ssl connect to '<Portal IP>:443', Disconect ssl and returns false.

(T4264) 03/15/15 19:24:51:444 Error(13520): CheckHipMissingPatchInOtherProcess(): Wait timeout for process PanGpHipMp.exe

(T4264) 03/15/15 19:28:56:737 Error(13520): CheckHipMissingPatchInOtherProcess(): Wait timeout for process PanGpHipMp.exe

(T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[0] (0.0.0.0) failed (Element not found.)

(T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[1] (<Some IP 1>) failed (Element not found.)

(T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[2] (<Some IP 2>) failed (Element not found.)

(T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[3] (<Some IP 1>) failed (Element not found.)

(T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[4] (<Some IP 2>) failed (Element not found.)

(T2960) 03/15/15 19:32:49:270 Error(1739): UnsetRoutes: No route installed before

(T2960) 03/15/15 19:33:01:339 Error(1199): IpReleaseAddress done

(T2176) 03/15/15 19:33:01:558 Error( 95): SSL connect failed (error:00000001:lib(0):func(0):reason(1))

(T2176) 03/15/15 19:33:01:558 Error( 141): connect() failed

(T2176) 03/15/15 19:33:01:558 Error( 978): ConnectSSL: Failed to connect to '<Portal IP>:443'

(T2176) 03/15/15 19:33:01:558 Error(1025): ConnectSSL(false) failed

(T2176) 03/15/15 19:33:01:558 Error(1221): Logout: SendNReceive() failed

(T2176) 03/15/15 19:33:01:558 Error(2013): Disconnect: Logout() failed

One of the first things I did was check out the certificates assigned to the clients, and they all appear to be fine. At least, nothing in them was changed or expired. I also checked out the firewall's system logs and they don't give a hint of any error (they just show a successful authentication and connection), which leads me to believe that the error is completely client-side. Does anybody have any input on this? I like that my users can still connect, but for obvious reasons I don't like seeing certificate errors that are apparently being ignored...if the logs say "Failed to ssl connect" but it connects anyway, then what's it using to connect? Not an unencrypted, non-SSL connection, I hope. I'm hesitant to use the VPN until I can resolve this.

By the way, this seems to be a possibly related and unanswered question:

https://live.paloaltonetworks.com/message/43849

Thank you.

Re: GlobalProtect reports a "Client Certificate Error" but still connects

Gregoux — Tue, 17 Mar 2015 16:15:03 GMT

do you open support case ?

Re: GlobalProtect reports a "Client Certificate Error" but still connects

NinthShot — Tue, 17 Mar 2015 20:05:58 GMT

No, not yet. I was going to check with the community first and then open a support case if nobody here knew anything.

Re: GlobalProtect reports a "Client Certificate Error" but still connects

HULK — Tue, 17 Mar 2015 20:13:46 GMT

Could you please check the certificate common name is an IP address or a FQDN. For example, If the certificate is having IP address in the CN, you have to connect with IP from the GP client. Otherwise it will show you a certificate warning.

Thanks

Re: GlobalProtect reports a "Client Certificate Error" but still connects

MP18 — Thu, 04 Jan 2024 22:24:08 GMT

@NinthShot

I have seen error like this where in PA issuing cert was expired but Root Cert was not and PC machine cert was verified by the Root Cert on the PA.

Hope it helps.

Regards

topic Re: GlobalProtect reports a "Client Certificate Error" but still connects in General Topics

GlobalProtect reports a "Client Certificate Error" but still connects

Re: GlobalProtect reports a "Client Certificate Error" but still connects

Re: GlobalProtect reports a "Client Certificate Error" but still connects

Re: GlobalProtect reports a "Client Certificate Error" but still connects

Re: GlobalProtect reports a "Client Certificate Error" but still connects