Global Protect Client, portal error message: Client Certificate Error
cancel
Showing results for 
Search instead for 
Did you mean: 

Global Protect Client, portal error message: Client Certificate Error

L0 Member

 

We have upgraded 5 of our BranchOffice firewalls from 6.02 to 6.03 yesterday. All updates went fine except one: 

We are going to get an issue as soon as we want to connect via Global Protect to the Gateway. The window "Client Certificate Error" pops up:

portal error message_Client Certificate Error.png

The error log shows:

(T1636) 07/28/14 11:56:52:382 Error(8377): pan_obj_get_value() failed with tag client-cert. Returns false.

(T1636) 07/28/14 11:56:52:382 Error(11081): Failed to export client cert.

(T580) 07/28/14 11:56:52:414 Error(1813): UnsetRoutes: No route installed before

(T1500) 07/28/14 11:56:57:883 Error(13454): Wait timeout for process PanGpHip.exe

(T580) 07/28/14 11:57:25:242 Error(6122): pre-login error message: GlobalProtect gateway does not exist

(T580) 07/28/14 11:57:25:554 Error(6350): unexpected response from server.

(T580) 07/28/14 11:57:25:554 Error(5858): Failed to retrieve info for gateway 77.xxx.xxx.xxx

(T580) 07/28/14 11:57:25:554 Error(9094): NetworkDiscoverThread: failed to discover external network.


The only difference to the others is that we have Dynamic DHCP Client active on the Untrust Interface. However with 6.02 it still worked with this configuration. The Root and GP Certificates are valid and still the same as before we have updated to 6.03.

Does anyone know what the problem could be? Can't find anything in the knowledgebase so far.

Thanks,

Ralph

 

4 REPLIES 4

L7 Applicator

Hello Ralph,

What version of GP-agent running on the client machine.?

Is this behavior observed in all machines including MAC and windows..?

Is there any special-character exists on your GP certificate..?

Thanks

Hello Hulk

Thanks for your answer.

We found the issue. Somehow on this box was an override on the Issunig CA Certifcate in Certificate Management/Certifcates set. After we removed the overrided Global Protect worked again.

Thanks,
Ralph

Any chance you could explain what you mean by "override"?  I'm experiencing a similar issue and nothing's changed so far as I can see but when I check the certificates under Device > Certificate Management > Certificates there is no "override" option as a setting on any of them?  I should also mention the hardware is a 2050 with PANOS 5.0.11 - maybe the version & hardware make a difference?  Clients receive the Client Certificate Error but the VPN still gets created and resources are still accessible, not sure if this is relevant?

I believe he is talking about Trusted CA

Trusted Root CA—The certificate is marked as a trusted CA for forward decryption purposes.

I think he had this checked off.  when he removed it, his GP worked.

This would make sense.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!