iPads and iPhones Not Able to Connect Using GlobalProtect

Printer Friendly Page

Symptoms

Unable to connect Apple iOS based devices, iPad / iPhone, using GlobalProtect. The same certificate works when using a Macintosh and Windows PC

Issue

The CN (Common Name) on the certificate must contain either the Portal IP address or the FQDN that resolves to the GlobalProtect Portal IP address. If the server certificate is installed but the CN is misconfigured, a user can type in the address from a PC browser and be prompted with a certificate error message which can be ignored, so that the PC (both Mac and Windows) connects successfully.

No such prompt is available for the iOS based devices and as such, the connection fails and the users are prompted with an error message stating "VPN server not responding".

Resolution

The server certificate CN must match the FQDN or the IP address entered for the GlobalProtect Portal address in the GlobalProtect client. Wildcard SSL certificates are not supported with iOS due to the operating system restraints just discussed.

For example, if the CN is GP.DOMAIN.COM then GP.DOMAIN.COM must be entered as the portal address to connect to. The IP address the FQDN resolves to cannot be entered.

owner: sjamaluddin

Comments

Does this apply when using a Pre-Shared Key for the first authentication phase? We use PSK but Android and iOS devices are unable to connect - our portal/gateway cert is a wildcard though.

If I read Apple's docs correctly, this may have been fixed in iOS 8. 

See: https://help.apple.com/deployment/ios/#/ior8434c18b3

 

Certificates

When you set up and install certificates:

  • The server identity certificate must contain the server’s DNS name or IP address in the SubjectAltName field. The device uses this information to verify that the certificate belongs to the server. For more flexibility, you can specify the SubjectAltName using wildcard characters for per-segment matching, such as vpn.*.mycompany.com. If no SubjectAltName is specified, you can put the DNS name in the common name field.

  • The certificate of the CA that signed the server’s certificate needs to be installed on the device. If it isn’t a root certificate, install the rest of the trust chain so that the certificate is trusted. If you use client certificates, make sure the trusted CA certificate that signed the client’s certificate is installed on the VPN server. When using certificate-based authentication, make sure the server is set up to identify the user’s group, based on fields in the client certificate.

     

    Important: The certificates and certificate authorities must be valid (for example, not expired). Sending of certificate chain by the server isn’t supported.

Anyone getting this error also needs to ensure that the Gateway configuration under Portal--Client Config--Gateways should match the CN of the gateway certificate.

Please check the below KB for reference

https://live.paloaltonetworks.com/t5/Management-Articles/Error-Certificate-CN-mismatch-while-connect...