- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-19-2012 04:20 AM
Hello,
I configured the VPN-SSL on PANOS 4.1 using the "Configure Global Protect tech notes" document and the migration from Netconnect to Global Protect. Following these manuals I got this error.
(T5448) 01/19/12 12:21:10:825 Debug( 392): CPanHTTPSession::PostRequest: WinHttpSendRequest...
(T5448) 01/19/12 12:21:10:887 Error(4909): CPanMSService::GetWinHttpResponse: WinHttpSendRequest failed with error ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED
(T5448) 01/19/12 12:21:10:887 Debug( 392): CPanHTTPSession::PostRequest: WinHttpSendRequest...
(T5448) 01/19/12 12:21:11:031 Error(8890): WINHTTP_CALLBACK_STATUS_FLAG_CERT_DATE_INVALID
(T5448) 01/19/12 12:21:11:031 Error(4943): PostRequest failed with error code 12175.
(T5448) 01/19/12 12:21:11:031 Debug(9420): Failed to pre-login to the portal 192.168.1.20. Error 12175
(T5448) 01/19/12 12:21:11:031 Debug(9461): close WinHttp close handle.
(T5448) 01/19/12 12:21:11:031 Debug(5940): failed to get portal config from portal 192.168.1.20. Try to restore last portal config from file.
I test some certificate configurations and I found using the web server certificate (the default certificate included on PanOS) as server certificate in Gateway Global Protect, the VPN is established. But If I used a CA signed certificate as is described on manuals, I got the last error message. I also tryed to use a new non CA signed certificate but I got the same error.
Regards,
01-24-2012 07:46 AM
Hi all,
I solved the problem. When using ntp the time is not the same on all parts of PaloAlto device, I saw different time hours in log traffic (with the correct time), and log configuration (with a future hour). Setting the device time and date manually and then generating the certificates again, the problem was solved.
Regards!
01-19-2012 05:03 AM
You may need to verify your setting under Network Tab- GlobalProtect- Portal - Portal Configuration screen.
"Client Certificate" should be "None" and you would need only the "Server Certificate".
I think the earlier line in log "ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED" would mean that you might have set something in "Client Certificate" field.
An article at http://msdn.microsoft.com/en-us/library/windows/desktop/aa383770(v=vs.85).aspx provides more details about this error.
01-19-2012 05:35 AM
From your screen capture GP3.img, second line shows Root CA does not exist.So first line shows SSL_get_verify_result failed.
As you are using self-signed SSL cert generated by PA device, the root is not present in the client.
You may need to import the "Root" cert into the client PC. Probably opening the PA portal via browser and looking at the root (PA device) cert will allow you to save that root cert to local PC.
Other alternative may be to try commercial CA's free trial certificate. http://www.globalsign.com is one such CA where you can get free trial cert.
01-19-2012 05:51 AM
I installed the Root CA (I am using self signed certificate by PA device) on Trusted Root Certification Authorities but it still not working. Have I to install the Root CA in some other place?
Thank you
01-19-2012 05:58 AM
Then probably trial cert from commercial CA might help.
01-24-2012 07:46 AM
Hi all,
I solved the problem. When using ntp the time is not the same on all parts of PaloAlto device, I saw different time hours in log traffic (with the correct time), and log configuration (with a future hour). Setting the device time and date manually and then generating the certificates again, the problem was solved.
Regards!
01-24-2012 01:02 PM
Sounds odd/funny.
Could it be that your device time was so much different from real time so the onboard ntp daemon refused to sync?
Can you verify that the NTP works after you set the time close to real time manually?
09-16-2012 07:15 AM
The Microsoft link by Shashank helped thanks. Turns out WinXP SP2's HTTP engine does not support a required SSL function for client <> server cert exchange. Updating to WinXP SP3 sorted the issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!