https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-failed-to-validate-client-certificate/m-p/173669#M54637 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/69584">@luke.lloyd-jones</a>,</P> <P>&nbsp;</P> <P>I have not tested versions that far apart but will this even work ?</P> <P>Just asking because the UID agent release notes say it'll only work with supported releases :</P> <P>&nbsp;</P> <P><STRONG><EM>The User‐ID agent is compatible with PAN‐OS 8.0 and earlier PAN‐OS releases that are still supported by Palo Alto Networks.</EM></STRONG></P> <P>&nbsp;</P> <P>That said, PAN-OS 6.0 was end-of-life&nbsp;<SPAN>March 19, 2017.</SPAN></P> <P>&nbsp;</P> <P><SPAN>It might work if you fix the certs as mentioned earlier but I'd go and upgrade to a supported version.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Cheers,</SPAN></P> <P><SPAN>-Kiwi.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 29 Aug 2017 14:53:25 GMT kiwi 2017-08-29T14:53:25Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-failed-to-validate-client-certificate/m-p/173588#M54617 <P>Hi,</P><P>&nbsp;</P><P>I am running a v6.0 Palo virtual firewall and trying to connect to a user-id agent on a Windows 2k8r2 server. I am running version 8.0.4-5 of the UID agent.</P><P>&nbsp;</P><P>I have configured as per all documentation however I am getting the following log messages popping up in the agent software:</P><P>&nbsp;</P><P>Failed to validate client certificate, thread : 1, 1-0!</P><P>&nbsp;</P><P>If I check the logs on the firewall itself I have following log messages popping up every 5 seconds:</P><P>&nbsp;</P><P>pan_ssl_conn_open(pan_ssl_utils.c:464): Error: Failed to Connect to 192.168.5.100(source: 192.168.5.11), SSL error: error:00000000:lib(0):func(0):reason(0)(5)</P><P>&nbsp;</P><P>I am truly at my wits end, cannot seem to find anything useful about this online and not sure how to troubleshoot this.</P><P>&nbsp;</P><P>Does anyone have any suggestions?</P><P>&nbsp;</P><P>Thanks,</P> Tue, 29 Aug 2017 10:57:43 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-failed-to-validate-client-certificate/m-p/173588#M54617 luke.lloyd-jones 2017-08-29T10:57:43Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-failed-to-validate-client-certificate/m-p/173661#M54632 <P>Do you have an SSL/TSL profile?</P><P>&nbsp;</P><P>There's a cert issue for sure with the SSL connection. So either the agent or the firewall are using out of date certs or some other mismatch.&nbsp;</P> Tue, 29 Aug 2017 14:34:59 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-failed-to-validate-client-certificate/m-p/173661#M54632 ChrisRussell 2017-08-29T14:34:59Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-failed-to-validate-client-certificate/m-p/173669#M54637 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/69584">@luke.lloyd-jones</a>,</P> <P>&nbsp;</P> <P>I have not tested versions that far apart but will this even work ?</P> <P>Just asking because the UID agent release notes say it'll only work with supported releases :</P> <P>&nbsp;</P> <P><STRONG><EM>The User‐ID agent is compatible with PAN‐OS 8.0 and earlier PAN‐OS releases that are still supported by Palo Alto Networks.</EM></STRONG></P> <P>&nbsp;</P> <P>That said, PAN-OS 6.0 was end-of-life&nbsp;<SPAN>March 19, 2017.</SPAN></P> <P>&nbsp;</P> <P><SPAN>It might work if you fix the certs as mentioned earlier but I'd go and upgrade to a supported version.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Cheers,</SPAN></P> <P><SPAN>-Kiwi.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 29 Aug 2017 14:53:25 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-failed-to-validate-client-certificate/m-p/173669#M54637 kiwi 2017-08-29T14:53:25Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-failed-to-validate-client-certificate/m-p/174860#M54863 <P>Thanks for the tip, I thought those two would be compatible but turns out not. I actually just removed my v8 UID agent and installed the v6 version (had to remove the service first though with a "<SPAN>sc delete "UserIDService</SPAN>" command, super annoying) and all working now.</P> Tue, 05 Sep 2017 08:31:52 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-failed-to-validate-client-certificate/m-p/174860#M54863 luke.lloyd-jones 2017-09-05T08:31:52Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-failed-to-validate-client-certificate/m-p/179593#M55709 <P>I'm using PAN-OS 6.1 and have the same problem. Unfortuntely I have to use the latest version because this is the only version supported on my 2016 DC.</P><P>&nbsp;</P><P>Certificates should be fine on both sides. Is there any other thing I can check?</P><P>Is it possible to disable the certificate check in User-ID Agent 8.0.4?</P> Mon, 02 Oct 2017 13:59:52 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-failed-to-validate-client-certificate/m-p/179593#M55709 Tobi 2017-10-02T13:59:52Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-failed-to-validate-client-certificate/m-p/187706#M57076 <P>This was a bug. Fixed with User-ID Agent 8.0.5!</P> Fri, 17 Nov 2017 15:07:43 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-failed-to-validate-client-certificate/m-p/187706#M57076 Tobi 2017-11-17T15:07:43Z