CERT_DATE ERROR SSL-VPN Global Protect PanOS 4.1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

CERT_DATE ERROR SSL-VPN Global Protect PanOS 4.1

Not applicable

Hello,

I configured the VPN-SSL on PANOS 4.1 using the "Configure Global Protect tech notes" document and the migration from Netconnect to Global Protect. Following these manuals I got this error.

(T5448) 01/19/12 12:21:10:825 Debug( 392): CPanHTTPSession::PostRequest: WinHttpSendRequest...
(T5448) 01/19/12 12:21:10:887 Error(4909): CPanMSService::GetWinHttpResponse: WinHttpSendRequest failed with error ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED
(T5448) 01/19/12 12:21:10:887 Debug( 392): CPanHTTPSession::PostRequest: WinHttpSendRequest...
(T5448) 01/19/12 12:21:11:031 Error(8890): WINHTTP_CALLBACK_STATUS_FLAG_CERT_DATE_INVALID
(T5448) 01/19/12 12:21:11:031 Error(4943): PostRequest failed with error code 12175.
(T5448) 01/19/12 12:21:11:031 Debug(9420): Failed to pre-login to the portal 192.168.1.20. Error 12175
(T5448) 01/19/12 12:21:11:031 Debug(9461): close WinHttp close handle.
(T5448) 01/19/12 12:21:11:031 Debug(5940): failed to get portal config from portal 192.168.1.20. Try to restore last portal config from file.

I test some certificate configurations and I found using the web server certificate (the default certificate included on PanOS) as server certificate in Gateway Global Protect, the VPN is established. But If I used a CA signed certificate as is described on manuals, I got the last error message. I also tryed to use a new non CA signed certificate but I got the same error.

Regards,

1 accepted solution

Accepted Solutions

Hi all,

I solved the problem. When using ntp the time is not the same on all parts of PaloAlto device, I saw different time hours in log traffic (with the correct time), and log configuration (with a future hour). Setting the device time and date manually and then generating the certificates again, the problem was solved.

Regards!

View solution in original post

8 REPLIES 8

L1 Bithead

You may need to verify your setting under Network Tab- GlobalProtect- Portal - Portal Configuration screen.

"Client Certificate" should be "None" and you would need only the "Server Certificate".

I think the earlier line in log "ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED" would mean that you might have set something in "Client Certificate" field.

An article at http://msdn.microsoft.com/en-us/library/windows/desktop/aa383770(v=vs.85).aspx provides more details about this error.


I disabled the client cert on the Global Protect Portal and the error is the same. And the time and date of the client and PA is the same. Also certificates has valid date.

From your screen capture GP3.img, second line shows Root CA does not exist.So first line shows SSL_get_verify_result failed.

As you are using self-signed SSL cert generated by PA device, the root is not present in the client.

You may need to import the "Root" cert into the client PC. Probably opening the PA portal via browser and looking at the root (PA device) cert will allow you to save that root cert to local PC.

Other alternative may be to try commercial CA's free trial certificate. http://www.globalsign.com is one such CA where you can get free trial cert.

I installed the Root CA (I am using self signed certificate by PA device) on Trusted Root Certification Authorities but it still not working. Have I to install the Root CA in some other place?

Thank you

Then probably trial cert from commercial CA might help.

Hi all,

I solved the problem. When using ntp the time is not the same on all parts of PaloAlto device, I saw different time hours in log traffic (with the correct time), and log configuration (with a future hour). Setting the device time and date manually and then generating the certificates again, the problem was solved.

Regards!

Sounds odd/funny.

Could it be that your device time was so much different from real time so the onboard ntp daemon refused to sync?

Can you verify that the NTP works after you set the time close to real time manually?

The Microsoft link by Shashank helped thanks. Turns out WinXP SP2's HTTP engine does not support a required SSL function for client <> server cert exchange. Updating to WinXP SP3 sorted the issue.

  • 1 accepted solution
  • 9506 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!