We are unable to get multiple gateways working correctly with Global Protect. When we have one portal and one gateway, clients are able to successfully connect and establish a VPN tunnel. With two gateways we get the following error from both the originally setup gateway and the gateway we are attempting to add: "Gateway x.x.x.x: Server Certificate Verification Failed" in the Global Protect Client -> Status -> Warnings/Errors dialogue.
Portal Hardware: PA-2050
Portal OS: 5.0.3
Gateway 1: Same as Portal above
Gateway 2 Hardware: PA-200
Gateway 2 OS: 5.0.3
Global Protect Portal License: YES
Global Protect Gateway 1 License: YES
Global Protect Gateway 2 License: YES
Certificate Authority Information:
Microsoft Server CA 2012
Portal - CSR issued to MS CA
Gateway 1 - CSR issued to MS CA
Gateway 2 - CSR issued to MS CA
Clients - Machine Certificate pre-installed via GPO from MS CA
Solved! Go to Solution.
Network -> Global Protect -> Portals -> <profile name> -> Client Config -> <config name> -> Gateways -> External Gateways -> "Address" == <FQDN> && != <IP Address>
Translation: Make sure that you use the Fully Qualified Domain Name (FQDN) in Gateway Certificate and NOT the IP address for the gateway in the "Address" field of External Gateways.
This is not totally obvious to me as "Address" usually means "IP Address" and "URL" or "FQDN" or "Domain" usually means the domain name of something.
THANK YOU SO MUCH !
It was not obvious to me AT ALL.
If you buy a certificate and you don't want any errors and have the Portal and Gateway fully certified by the external CA it simply won't work!
I just spent exactly 2h and 28 minutes figuring out why the heck I continue to receive "Server certificate verification failed" error.
I even posted some screenshots here for help.
Then, I got to your post, changed the "ADDRESS" field which obviously is NOT address but FQDN and I'm in.
No Error, all connected just fine.
You should get like 5 starts for this hint.
Thanks a lot Manilla.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!