https://live.paloaltonetworks.com/t5/general-topics/since-upgrade-globalprotect-2-1-certificate-problems/m-p/30130#M22019 <HTML><HEAD></HEAD><BODY><P>Hi Johan, </P><P></P><P>Make sense...Did you install root certificate on GP client ?</P><P></P><P>Regards,</P><P>Hardik shah</P></BODY></HTML> Sat, 11 Oct 2014 16:21:47 GMT hshah 2014-10-11T16:21:47Z https://live.paloaltonetworks.com/t5/general-topics/since-upgrade-globalprotect-2-1-certificate-problems/m-p/30124#M22013 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>We experiencing a problem with the new version of Global Protect 2.1.We have PA 6.0.3. We use a 3th party as authenticaton manager. The problem appears with the certificate of the gateway : we use forthis certificate a wildcard signed certificate. All the gp clients upgraded to this version receive the following error : Gateway external_gateway_2: Server certificate verification failed. With version 2.0.x , this problem didnt arrive. This is no problem with all clients (laptops, androids, ...), butthis has become problem with ios-devices, since they upgraded automically from appstore, since appstore upgraded their version to 2.1. Anybody knows if this is a general problem.Has the new globalprotect client a requirement of &gt; panos 6.0.3 ?</P><P></P><P>Error message : Gateway external_gateway_2: Server certificate verification failed</P><P>from logs tested with 64 bit laptop win7 :</P><P></P><P>(T99064) 10/11/14 13:32:30:934 Error(2147): Failed to verify server certificate of gateway xxxxxxxxxxxx.</P><P>(T99064) 10/11/14 13:32:30:934 Error(1520): Failed to retrieve info for gateway xxxxxxxxx.</P><P>(T99064) 10/11/14 13:32:30:934 Error(2350): NetworkDiscoverThread: failed to discover external network.</P><P></P><P></P><P>greetz</P></BODY></HTML> Sat, 11 Oct 2014 11:38:12 GMT https://live.paloaltonetworks.com/t5/general-topics/since-upgrade-globalprotect-2-1-certificate-problems/m-p/30124#M22013 johan.boeckx 2014-10-11T11:38:12Z https://live.paloaltonetworks.com/t5/general-topics/since-upgrade-globalprotect-2-1-certificate-problems/m-p/30125#M22014 <HTML><HEAD></HEAD><BODY><P>Hi Johan,</P><P></P><P>Can you confirm if the Gateway's ip address is fqdn or IP address under External Gateways? If its IP address can you change it to FQDN, commit and try again? Thank you.</P></BODY></HTML> Sat, 11 Oct 2014 14:34:52 GMT https://live.paloaltonetworks.com/t5/general-topics/since-upgrade-globalprotect-2-1-certificate-problems/m-p/30125#M22014 ssharma 2014-10-11T14:34:52Z https://live.paloaltonetworks.com/t5/general-topics/since-upgrade-globalprotect-2-1-certificate-problems/m-p/30126#M22015 <HTML><HEAD></HEAD><BODY><P>That was correct answer. I changed the gateway address now tothe url, which makes part of the wildcard certficate. It works now. What troubles me a bit, is that I still see in the logging of the gp client : "</P><P>(T92424) 10/11/14 16:40:16:525 Info ( 107): Failed to verify server cert. Result is self signed certificate in certificate chain </P><P>(T92424) 10/11/14 16:40:16:525 Info ( 126): SSL_get_verify_result() failed: (null)</P><P></P><P>Any idea about this ?</P><P></P><P>greetz,</P><P>Johan</P></BODY></HTML> Sat, 11 Oct 2014 15:08:20 GMT https://live.paloaltonetworks.com/t5/general-topics/since-upgrade-globalprotect-2-1-certificate-problems/m-p/30126#M22015 johan.boeckx 2014-10-11T15:08:20Z https://live.paloaltonetworks.com/t5/general-topics/since-upgrade-globalprotect-2-1-certificate-problems/m-p/30127#M22016 <HTML><HEAD></HEAD><BODY><P>Hi Joan,</P><P></P><P>I had similar issue with GP 2.1.0. </P><P></P><P>I was suggested that CN of gateway certificate has to be same as gateway name provided by Portal.</P><P></P><P>Try this change, it should work.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Sat, 11 Oct 2014 15:09:39 GMT https://live.paloaltonetworks.com/t5/general-topics/since-upgrade-globalprotect-2-1-certificate-problems/m-p/30127#M22016 hshah 2014-10-11T15:09:39Z https://live.paloaltonetworks.com/t5/general-topics/since-upgrade-globalprotect-2-1-certificate-problems/m-p/30128#M22017 <HTML><HEAD></HEAD><BODY><P>Hi Joahn,</P><P></P><P>As of now end client doesnt trust the root CA which signed "GP Certificate".</P><P></P><P>Which means you are supposed to install root certificate.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Sat, 11 Oct 2014 15:52:18 GMT https://live.paloaltonetworks.com/t5/general-topics/since-upgrade-globalprotect-2-1-certificate-problems/m-p/30128#M22017 hshah 2014-10-11T15:52:18Z https://live.paloaltonetworks.com/t5/general-topics/since-upgrade-globalprotect-2-1-certificate-problems/m-p/30129#M22018 <HTML><HEAD></HEAD><BODY><P>Doesnt work</P><P>I suppose it is not the cn of the name you give in the PA. I tried to give the gateway name the same as the name of the certificate . Still the same result</P><P></P><P>greetz,</P><P>Johan</P></BODY></HTML> Sat, 11 Oct 2014 15:54:42 GMT https://live.paloaltonetworks.com/t5/general-topics/since-upgrade-globalprotect-2-1-certificate-problems/m-p/30129#M22018 johan.boeckx 2014-10-11T15:54:42Z https://live.paloaltonetworks.com/t5/general-topics/since-upgrade-globalprotect-2-1-certificate-problems/m-p/30130#M22019 <HTML><HEAD></HEAD><BODY><P>Hi Johan, </P><P></P><P>Make sense...Did you install root certificate on GP client ?</P><P></P><P>Regards,</P><P>Hardik shah</P></BODY></HTML> Sat, 11 Oct 2014 16:21:47 GMT https://live.paloaltonetworks.com/t5/general-topics/since-upgrade-globalprotect-2-1-certificate-problems/m-p/30130#M22019 hshah 2014-10-11T16:21:47Z https://live.paloaltonetworks.com/t5/general-topics/since-upgrade-globalprotect-2-1-certificate-problems/m-p/30131#M22020 <HTML><HEAD></HEAD><BODY><P>Hi there,</P><P>I'm getting the same error with GP 2.1 on Windows 8.1 , actually I always have big trouble with windows machines. <BR />it works perfect on Android, Apple, but Windows takes me hours and not working every time. I do huge hit and miss config every time.</P><P></P><P>Can somebody explain how to configure this please? </P><P></P><P>I bought the domain.</P><P>I generated new CSR and signed it by the Trusted CA (VeriSign) </P><P>I imported the cert and I see the certs "merged" and have the FQDN name of a cert with "private key"</P><P>I select the cert for Server Cert</P><P>I connect to the gateway and get the same error as everybody in this post. </P><P>Can not select continue.</P><P></P><P>I use FQDN for Cert name, Portal address, and in GP client to connect.</P><P></P><P>Do I still need to export the cert and import to the windows client root folder? if so , why ? </P></BODY></HTML> Tue, 25 Nov 2014 21:44:00 GMT https://live.paloaltonetworks.com/t5/general-topics/since-upgrade-globalprotect-2-1-certificate-problems/m-p/30131#M22020 Mariusz.pianka 2014-11-25T21:44:00Z