GP Server Certificate Verification Failed

Reply
Highlighted
L2 Linker

Re: GP Server Certificate Verification Failed

Have you tested with the latest GP version? Like on GP version 4.0 ? 

Highlighted
L2 Linker

Re: GP Server Certificate Verification Failed

It did not fix my issue with PAN-OS 8.0 and the GP ver. 4.0. Anyone tested it yet? 

Highlighted
L3 Networker

Re: GP Server Certificate Verification Failed

@RamBista1I just started building out a GP VPN on a 220 with 8.0.1 myself and what I've learned is that I am getting this error with the Windows client, but not the iOS app which appears to work perfectly. Just wondering if you've tried the iOS app and seen the same or if you have the same problems with it.

Highlighted
L4 Transporter

Re: GP Server Certificate Verification Failed

I also seem to be having this issue but, oddly, only for two reported users so far.  There may be more than just haven't reported.  Both these users are getting an error saying the Server Verification Failed when GP attempts to connect to the gateway.

 

My setup:

  • One portal and multiple gateways used for various purposes.  Each of these has it's own loopback and IP addresses.
  • Portal and the gateway that most users are allowed to connect to both use the same wildcard cert.
  • Multiple client configs setup based on usernames/usergroups.

The wildcard cert being used for both the portal and the primary gateway is a leftover config from when the portal and gateway were on the same loopback interface.  I've since separated them out but, apparently, forgot to change the certificate over to the new one that was created specifically for the gateway's FQDN.

 

The two users are both on Windows, however, one is on Windows 7 x64 and the other is on Windows Server 2012 R2.

L4 Transporter

Re: GP Server Certificate Verification Failed

Just thought I'd reply back after finding the solution to my issue with Palo Alto's help today.  The client that was attempting the connection was a Windows 7 x64 Home Edition and was utilizing ECN:

 

https://en.wikipedia.org/wiki/Explicit_Congestion_Notification

 

The end result was that GP would try to connect to the Portal a few times, get denied due to the ECN and CWR flags on the SYN packets a few times, then go back to a simple SYN without ECN packet and establish connection to the portal.  The gateway connection would attempt next and would fail due to the ECN and CWR flags again, however, unlike with the portal the GP client would not fail back to the simpler SYN packet and the connection would fail with the complaint about the Gateway Server Certificate.

 

The workaround was to disable ECN on the Windows client by issuing the following command on an elevated command prompt:

 

netsh int tcp set global ecncapability=disabled

After running this command, the client was able to connect.

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!