07-28-2014 04:03 AM
We have upgraded 5 of our BranchOffice firewalls from 6.02 to 6.03 yesterday. All updates went fine except one:
We are going to get an issue as soon as we want to connect via Global Protect to the Gateway. The window "Client Certificate Error" pops up:
The error log shows:
(T1636) 07/28/14 11:56:52:382 Error(8377): pan_obj_get_value() failed with tag client-cert. Returns false.
(T1636) 07/28/14 11:56:52:382 Error(11081): Failed to export client cert.
(T580) 07/28/14 11:56:52:414 Error(1813): UnsetRoutes: No route installed before
(T1500) 07/28/14 11:56:57:883 Error(13454): Wait timeout for process PanGpHip.exe
(T580) 07/28/14 11:57:25:242 Error(6122): pre-login error message: GlobalProtect gateway does not exist
(T580) 07/28/14 11:57:25:554 Error(6350): unexpected response from server.
(T580) 07/28/14 11:57:25:554 Error(5858): Failed to retrieve info for gateway 77.xxx.xxx.xxx
(T580) 07/28/14 11:57:25:554 Error(9094): NetworkDiscoverThread: failed to discover external network.
The only difference to the others is that we have Dynamic DHCP Client active on the Untrust Interface. However with 6.02 it still worked with this configuration. The Root and GP Certificates are valid and still the same as before we have updated to 6.03.
Does anyone know what the problem could be? Can't find anything in the knowledgebase so far.
07-28-2014 08:21 AM
What version of GP-agent running on the client machine.?
Is this behavior observed in all machines including MAC and windows..?
Is there any special-character exists on your GP certificate..?
07-28-2014 11:34 PM
Thanks for your answer.
We found the issue. Somehow on this box was an override on the Issunig CA Certifcate in Certificate Management/Certifcates set. After we removed the overrided Global Protect worked again.
09-05-2014 06:54 AM
Any chance you could explain what you mean by "override"? I'm experiencing a similar issue and nothing's changed so far as I can see but when I check the certificates under Device > Certificate Management > Certificates there is no "override" option as a setting on any of them? I should also mention the hardware is a 2050 with PANOS 5.0.11 - maybe the version & hardware make a difference? Clients receive the Client Certificate Error but the VPN still gets created and resources are still accessible, not sure if this is relevant?
09-05-2014 07:29 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!