Error: Certificate CN mismatch while connecting GlobalProtect client

Printer Friendly Page

Issue

When connecting to GlobalProtect from a client, the following Server Certificate Error displays:

GP CN mismatch.JPG

 

Cause

The issue occurs because the CN (FQDN or IP address) used to generate the certificate (Device > Certificate Management > Certificates) used as a server certificate is different from the CN or Common Name configured in the Network > GlobalProtect Portals > Portal profile > Client Configuration > Gateways > Internal or External Gateways Address.

2016-04-12_cn-example.png

2016-04-12_cn2.png

 

Resolution

  1. Ensure the CN is the same in the certificate (Device > Certificate Management > Certificates) being used as well as in the configuration of the GlobalProtect Portal here: Network > GlobalProtect Portals > Portal profile > Client Configuration > Gateways > Internal or External Gateways Address.
  2. If the CN is a FQDN, then ensure it's resolvable to the same IP address as used in the above configuration.
  3. If the certificate you use for GlobalProtect is not a CA certificate and is signed by a private CA, you will see the error even if you have installed the private CA as a trusted CA on the client machine and steps 1 and 2 are okay. Use a private CA for GlobalProtect and make sure steps 1 and 2 are fulfilled.

 

Tags (4)
Comments

Additionally,when the certificate is created, the Subject Alternative Name (SAN) must be exactly the same as the certificate's CN.If the certificate uses the CN of the DNS name,ensure that the SAN also uses the DNS name and not the IP address.A mismatch will cause the GlobalProtectagentto recognize that the SAN is not the same as the CN and will also produce the certificate error.

make sure subject name of the certificate is not empty either!