05-20-2021 09:52 AM - edited 05-21-2021 12:39 AM
Hello to All,
We have intermitant issues with the HIP report not being send every hour but I also see that there are some intermitant errors about the gateway certificate not being verified, I also see that there are messages in the PanGPS log "Check server certificate revocation returns" as also the portal and gateway certificates are publicly signed by the DigiCert CA. What I think we have other security systems maybe something is blocking the CRL from time to time and because of this the SSL cert of the gateway is not trusted and the HIP report fails if 3 HIP reports fail to be send by the globalprotect app (as the timeout is 3 hours and every hour a HIP report is send) and because of this sometimes we hit the Inactivity Logout (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClxFCAS).
.
Does this mean that the globalprotect agent uses CRL before trying to send the HIP report to the gateway if the gateway certficate is from a public CA and the certficate has a CRL distribution point SSL extention?
Also some of the gateways share a certficate with the same CA but if this was the issue maybe then the issue was not going to be intermitant, so for now I focus on the CRL as the certficate has SAN with each gateway FQDN but we may also check if it is a bug with the globalprotect app not liking the SSL SAN names from time to time.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK
06-09-2021 05:51 AM - edited 06-09-2021 05:55 AM
After doing a tcpdump and not seeing any CRL requests to the distribution points I don't think this is the issue and after upgrading the portals, gateways and the app the issue seems to have been gone.
Now with 9.1 we can monitor the latency if this is causing the timeout
Or with Globalprotect agent app 5.2 we can set the MTU from the portal "Configurable Maximum Transmission Unit for GlobalProtect Connections":
Also because of certificate change we seemed to have issues on some gateways but maybe because we were older version the Globalprotect app did not drop the VPN to those gateways (I have read for such a bug with older versions) with missing root CA but the option "Install in Local Root Certificate store" helped as it was suggested by a colleague of mine.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMyG
06-09-2021 05:51 AM - edited 06-09-2021 05:55 AM
After doing a tcpdump and not seeing any CRL requests to the distribution points I don't think this is the issue and after upgrading the portals, gateways and the app the issue seems to have been gone.
Now with 9.1 we can monitor the latency if this is causing the timeout
Or with Globalprotect agent app 5.2 we can set the MTU from the portal "Configurable Maximum Transmission Unit for GlobalProtect Connections":
Also because of certificate change we seemed to have issues on some gateways but maybe because we were older version the Globalprotect app did not drop the VPN to those gateways (I have read for such a bug with older versions) with missing root CA but the option "Install in Local Root Certificate store" helped as it was suggested by a colleague of mine.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMyG
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
