https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-portal-error-message-client-certificate/m-p/46712#M34337 <HTML><HEAD></HEAD><BODY><P>Hello Ralph,</P><P></P><P>What version of GP-agent running on the client machine.?</P><P>Is this behavior observed in all machines including MAC and windows..?</P><P>Is there any special-character exists on your GP certificate..?</P><P></P><P>Thanks</P></BODY></HTML> Mon, 28 Jul 2014 15:21:24 GMT HULK 2014-07-28T15:21:24Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-portal-error-message-client-certificate/m-p/46711#M34336 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #000000; font-family: Times New Roman; font-size: 10pt;">&nbsp; </SPAN></P><P style="margin: 0px 0px 10pt;"><SPAN style="color: #000000; font-size: 10pt; font-family: arial,helvetica,sans-serif;">We have upgraded 5 of our BranchOffice firewalls from 6.02 to 6.03 yesterday. All updates went fine except one:</SPAN><SPAN style="color: #000000; font-family: arial,helvetica,sans-serif; font-size: 10pt;">&nbsp; </SPAN></P><P style="margin: 0px 0px 10pt;"><SPAN style="color: #000000; font-family: arial,helvetica,sans-serif; font-size: 10pt;">We are going to get an issue as soon as we want to connect via Global Protect to the Gateway. The window "Client Certificate Error" pops up:</SPAN></P><P style="margin: 0px 0px 10pt;"><SPAN style="color: #000000; font-size: 10pt; font-family: Times New Roman;"><IMG alt="portal error message_Client Certificate Error.png" class="image-0 jive-image jiveImage" height="466" src="https://live.paloaltonetworks.com/legacyfs/online/14709_portal error message_Client Certificate Error.png" style="width: 430px; height: 256px;" width="781" /></SPAN></P><P style="margin: 0px 0px 10pt;"><SPAN style="color: #000000; font-family: arial,helvetica,sans-serif; font-size: 10pt;">The error log shows:</SPAN></P><P><SPAN style="color: #000000; font-family: arial,helvetica,sans-serif; font-size: 10pt;"> </SPAN><SPAN style="color: #000000; font-size: 10pt; font-family: arial,helvetica,sans-serif;">(T1636) 07/28/14 11:56:52:382 Error(8377): pan_obj_get_value() failed with tag client-cert. Returns false.</SPAN><SPAN style="color: #000000; font-family: arial,helvetica,sans-serif; font-size: 10pt;"> </SPAN></P><P><SPAN style="color: #000000; font-size: 10pt; font-family: arial,helvetica,sans-serif;">(T1636) 07/28/14 11:56:52:382 Error(11081): Failed to export client cert.</SPAN></P><P><SPAN style="color: #000000; font-size: 10pt; font-family: arial,helvetica,sans-serif;">(T580) 07/28/14 11:56:52:414 Error(1813): UnsetRoutes: No route installed before</SPAN></P><P><SPAN style="color: #000000; font-size: 10pt; font-family: arial,helvetica,sans-serif;">(T1500) 07/28/14 11:56:57:883 Error(13454): Wait timeout for process PanGpHip.exe</SPAN></P><P><SPAN style="color: #000000; font-size: 10pt; font-family: arial,helvetica,sans-serif;">(T580) 07/28/14 11:57:25:242 Error(6122): pre-login error message: GlobalProtect gateway does not exist</SPAN></P><P><SPAN style="color: #000000; font-size: 10pt; font-family: arial,helvetica,sans-serif;">(T580) 07/28/14 11:57:25:554 Error(6350): unexpected response from server.</SPAN></P><P><SPAN style="color: #000000; font-size: 10pt; font-family: arial,helvetica,sans-serif;">(T580) 07/28/14 11:57:25:554 Error(5858): Failed to retrieve info for gateway 77.xxx.xxx.xxx</SPAN></P><P><SPAN style="color: #000000; font-size: 10pt; font-family: arial,helvetica,sans-serif;">(T580) 07/28/14 11:57:25:554 Error(9094): NetworkDiscoverThread: failed to discover external network.</SPAN></P><P><SPAN style="color: #000000; font-size: 10pt; font-family: arial,helvetica,sans-serif;"><BR /></SPAN></P><P style="margin: 0px 0px 10pt;"><SPAN style="color: #000000; font-family: arial,helvetica,sans-serif; font-size: 10pt;">The only difference to the others is that we have Dynamic DHCP Client active on the Untrust Interface. However with 6.02 it still worked with this configuration. The Root and GP Certificates are valid and still the same as before we have updated to 6.03.</SPAN></P><P style="margin: 0px 0px 10pt;"><SPAN lang="DE" style="color: #3b3b3b; line-height: 115%; font-family: arial,helvetica,sans-serif; font-size: 10pt; mso-ansi-language: DE;">Does anyone know what the problem could be? Can't find anything in the knowledgebase so far.</SPAN></P><P style="margin: 0px 0px 10pt;"><SPAN lang="DE" style="color: #3b3b3b; line-height: 115%; font-family: arial,helvetica,sans-serif; font-size: 10pt; mso-ansi-language: DE;">Thanks,</SPAN></P><P style="margin: 0px 0px 10pt;"><SPAN style="line-height: 115%; color: #3b3b3b; font-size: 10pt; mso-ansi-language: DE; font-family: arial,helvetica,sans-serif;">Ralph</SPAN></P><P><SPAN style="color: #000000; font-family: Times New Roman; font-size: 12pt;">&nbsp; </SPAN></P></BODY></HTML> Mon, 28 Jul 2014 11:03:45 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-portal-error-message-client-certificate/m-p/46711#M34336 relsener 2014-07-28T11:03:45Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-portal-error-message-client-certificate/m-p/46712#M34337 <HTML><HEAD></HEAD><BODY><P>Hello Ralph,</P><P></P><P>What version of GP-agent running on the client machine.?</P><P>Is this behavior observed in all machines including MAC and windows..?</P><P>Is there any special-character exists on your GP certificate..?</P><P></P><P>Thanks</P></BODY></HTML> Mon, 28 Jul 2014 15:21:24 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-portal-error-message-client-certificate/m-p/46712#M34337 HULK 2014-07-28T15:21:24Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-portal-error-message-client-certificate/m-p/46713#M34338 <HTML><HEAD></HEAD><BODY><P>Hello Hulk</P><P></P><P>Thanks for your answer.</P><P></P><P>We found the issue. Somehow on this box was an override on the Issunig CA Certifcate in Certificate Management/Certifcates set. After we removed the overrided Global Protect worked again.</P><P></P><P>Thanks,<BR />Ralph</P></BODY></HTML> Tue, 29 Jul 2014 06:34:37 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-portal-error-message-client-certificate/m-p/46713#M34338 relsener 2014-07-29T06:34:37Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-portal-error-message-client-certificate/m-p/46714#M34339 <HTML><HEAD></HEAD><BODY><P>Any chance you could explain what you mean by "override"?&nbsp; I'm experiencing a similar issue and nothing's changed so far as I can see but when I check the certificates under Device &gt; Certificate Management &gt; Certificates there is no "override" option as a setting on any of them?&nbsp; I should also mention the hardware is a 2050 with PANOS 5.0.11 - maybe the version &amp; hardware make a difference?&nbsp; Clients receive the Client Certificate Error but the VPN still gets created and resources are still accessible, not sure if this is relevant?</P></BODY></HTML> Fri, 05 Sep 2014 13:54:26 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-portal-error-message-client-certificate/m-p/46714#M34339 cafowler 2014-09-05T13:54:26Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-portal-error-message-client-certificate/m-p/46715#M34340 <HTML><HEAD></HEAD><BODY><P>I believe he is talking about Trusted CA</P><P></P><P><SPAN style="font-weight: bold;"><A name="1977412"></A>Trusted Root CA</SPAN>—The certificate is marked as a trusted CA for forward decryption purposes.</P><P></P><P>I think he had this checked off.&nbsp; when he removed it, his GP worked.</P><P></P><P>This would make sense.</P></BODY></HTML> Fri, 05 Sep 2014 14:29:24 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-client-portal-error-message-client-certificate/m-p/46715#M34340 scantwell 2014-09-05T14:29:24Z