topic Re: GP Server Certificate Verification Failed in General Topics

GP Server Certificate Verification Failed

MPI-AE — Fri, 03 Feb 2017 14:07:34 GMT

Hey guys,

I wanted to upgrade the Global Protect Version.

Currently, I have version 2.3.4 in use an everything works fine.

Now I have a new mac with 10.12 and therefore I need version 3.1.1 of GP.

So I activated it on the firewall, installed it on the mac 10.12 and now there's is an error:

"Server Certificate Verification Failed"

I'm not able to connect.

I found the "FQDN" thing on the internet. Indeed, I have the ip address in the External Gateway field.

But I had version 2.3.4 and it worked anyway.

So I'm not sure if this is my problem?

Thanks!

PAN OS: 7.0.7

Re: GP Server Certificate Verification Failed

BPry — Fri, 03 Feb 2017 17:42:44 GMT

It's a known issue with the 2.3.x where it didn't really care and didn't complain about it. Just a side not on this as well I'm pretty sure you just broke GP. 3.1.1 requires the portal to be running PANos 7.1 or higher, since your running 7.0.7 this isn't going to work anyways so that may very well be your issue.

I'm not all that sure that you need 3.1.1 to run GP on 10.12; I've got 3.0.3 running on our main GP and it connects to my iMac running the latest macOS perfectly fine.

Re: GP Server Certificate Verification Failed

sullivanpj2 — Fri, 03 Feb 2017 19:05:58 GMT

The certificate CN and the external GP gateway match as IP and IP / FQDN and FQDN?

- Peter

Re: GP Server Certificate Verification Failed

MPI-AE — Sat, 04 Feb 2017 11:01:17 GMT

@BPry

Where can I find the information that GP 3.1.1 requires PAN OS 7.1 or higher?

Okay, so I will try GP 3.0.3

GP 3.0.3 doesn't require PAN OS 7.1?

But the whole thing is strange.

So I activated GP 3.1.1 on my PAN OS 7.0.7 PA-3020.

My other devices (Windows 7, Windows 10, Mac os x 10.11) all work fine.

They did the automatic client upgrade from 2.3.4 to 3.1.1

So I mean they work, although I have PAN OS 7.0.7 ?!

But why does my mac with 10.12 doesn't connect.

I don't know what to do now..

@sullivanpj2

What do you exactly mean?

Re: GP Server Certificate Verification Failed

sullivanpj2 — Sat, 04 Feb 2017 13:14:48 GMT

There's a "newer" verififcation check that PA added into GP (sometime in OS 2) that checks if the common name of the certificate and the globalprotect gateway match as IP or FQDN. For whatever reason, even if your DNS can resolve the FQDN, the PA will not allow them to be different. Here's the article but this is almost always what Server Certificate Verification Failed points too.

https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-Gateway-Certificate-Error-When-Trying-to-Use/ta-p/57043

Double check these settings and let us know!

- Peter

Re: GP Server Certificate Verification Failed

BPry — Sat, 04 Feb 2017 13:24:27 GMT

@sullivanpj2 the additional verification setup had already been enabled on 2.3.4 if memory serves correctly; good thing to check and make sure that it was actually setup correctly though.

@MPI-AE You can find the release notes either on device under the 'Device' tab, going to globalprotect client and then on the right where it actually gives you the option to download and activate the software package it actually has a 'release notes' link that will bring you directly to that software version's release notes. Alternatively they are available on the support.paloaltonetwork.com site under the Software Updates section.

I believe that you can use any GP version until you hit 3.1.x with a portal running on PAN OS 7.0.x, but you should really check the release notes before you ever install a new GP agent or install a new software version on PAN devices.

It's a possibility that the upgrades worked because it only upgrades the newer files, or in other words it does an 'incremental' update; GP doesn't actually fully reinstall itself when you update the client. Before you really start troubleshooting your mac client I really recommend getting on a supported agent for your GP portal version.

Re: GP Server Certificate Verification Failed

MPI-AE — Mon, 06 Feb 2017 08:19:32 GMT

Okay you are right. I read the release notes and you need pan os 7.1 for GP 3.1.1

So I have to upgrade my firewall.

Re: GP Server Certificate Verification Failed

MPI-AE — Fri, 17 Feb 2017 08:44:07 GMT

So I upgraded my firewall to 7.1.7.

However, the mac with mac os x 10.12 still doesn't connect and says "Gateway Ext Gateway: Server Certificate Verification Failed.

My other clients all work fine:

- Windows 7

- Windows 10

- Mac os x 10.10

- Mac os x 10.11

So I'm wondering why only the mac with 10.12 is complaining?

PS: I have checked the CN in the certificate. We are using an ip address.

This ip address is also in the external gateway field of the Portal.

So that matches.

Re: GP Server Certificate Verification Failed

MPI-AE — Mon, 20 Feb 2017 14:39:01 GMT

PAN-OS 7.1.8 Addressed Issues

PAN-73291

Fixed an issue where authentication failed for client certificates signed by a CA certificate that was not listed first in the Certificate Profile configured with client certificate authentication for GlobalProtect portals and gateways.

Is this my issue?

Re: GP Server Certificate Verification Failed

MPI-AE — Wed, 22 Feb 2017 06:53:50 GMT

Global Protect version 3.1.5 solved my problem.

Re: GP Server Certificate Verification Failed

RamBista1 — Sun, 19 Mar 2017 20:15:00 GMT

Have you tested with the latest GP version? Like on GP version 4.0 ?

Re: GP Server Certificate Verification Failed

RamBista1 — Tue, 21 Mar 2017 02:44:16 GMT

It did not fix my issue with PAN-OS 8.0 and the GP ver. 4.0. Anyone tested it yet?

Re: GP Server Certificate Verification Failed

bradk14 — Wed, 22 Mar 2017 23:04:02 GMT

@RamBista1I just started building out a GP VPN on a 220 with 8.0.1 myself and what I've learned is that I am getting this error with the Windows client, but not the iOS app which appears to work perfectly. Just wondering if you've tried the iOS app and seen the same or if you have the same problems with it.

Re: GP Server Certificate Verification Failed

jsalmans — Tue, 11 Apr 2017 14:43:48 GMT

I also seem to be having this issue but, oddly, only for two reported users so far. There may be more than just haven't reported. Both these users are getting an error saying the Server Verification Failed when GP attempts to connect to the gateway.

My setup:

One portal and multiple gateways used for various purposes. Each of these has it's own loopback and IP addresses.
Portal and the gateway that most users are allowed to connect to both use the same wildcard cert.
Multiple client configs setup based on usernames/usergroups.

The wildcard cert being used for both the portal and the primary gateway is a leftover config from when the portal and gateway were on the same loopback interface. I've since separated them out but, apparently, forgot to change the certificate over to the new one that was created specifically for the gateway's FQDN.

The two users are both on Windows, however, one is on Windows 7 x64 and the other is on Windows Server 2012 R2.

Re: GP Server Certificate Verification Failed

jsalmans — Tue, 18 Apr 2017 19:24:54 GMT

Just thought I'd reply back after finding the solution to my issue with Palo Alto's help today. The client that was attempting the connection was a Windows 7 x64 Home Edition and was utilizing ECN:

https://en.wikipedia.org/wiki/Explicit_Congestion_Notification

The end result was that GP would try to connect to the Portal a few times, get denied due to the ECN and CWR flags on the SYN packets a few times, then go back to a simple SYN without ECN packet and establish connection to the portal. The gateway connection would attempt next and would fail due to the ECN and CWR flags again, however, unlike with the portal the GP client would not fail back to the simpler SYN packet and the connection would fail with the complaint about the Gateway Server Certificate.

The workaround was to disable ECN on the Windows client by issuing the following command on an elevated command prompt:

netsh int tcp set global ecncapability=disabled

After running this command, the client was able to connect.