Error: Certificate CN mismatch while connecting GlobalProtect client

Error: Certificate CN mismatch while connecting GlobalProtect client

118444
Created On 09/25/18 20:39 PM - Last Modified 08/04/21 21:07 PM


Symptom


When connecting to GlobalProtect from a client, the following Server Certificate Error displays:

GP CN mismatch.JPG

Environment


  • Palo Alto Firewall.
  • PAN-OS 8.1 and above.
  • GlobalProtect Configured.

Cause


The issue occurs because the CN (FQDN or IP address) used to generate the certificate under GUI: Device > Certificate Management > Certificates and used as a server certificate is different from the CN or Common Name configured in the Portal under GUI: Network > GlobalProtect > Portals > (Portal profile) > Agent > (Agent Profile) > Internal or External > Internal or External Gateways Address.

2016-04-12_cn-example.png

 

Portal Configuration

Resolution


  1. Ensure the CN is the same in the certificate (GUI: Device > Certificate Management > Certificates) being used as well as in the configuration of the GlobalProtect Portal.(GUI: Network > GlobalProtect > Portals > (Portal profile) > Agent > (Agent Profile) > Internal or External > Internal or External Gateways Address).
  2. If the CN is an FQDN, then ensure it's resolvable to the same IP address as used in the above configuration.
  3. The above solution holds good even if the certificate used for GlobalProtect is signed by a private CA.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljeCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language