We have upgraded 5 of our BranchOffice firewalls from 6.02 to 6.03 yesterday. All updates went fine except one:
We are going to get an issue as soon as we want to connect via Global Protect to the Gateway. The window "Client Certificate Error" pops up:
The error log shows:
(T1636) 07/28/14 11:56:52:382 Error(8377): pan_obj_get_value() failed with tag client-cert. Returns false.
(T1636) 07/28/14 11:56:52:382 Error(11081): Failed to export client cert.
(T580) 07/28/14 11:56:52:414 Error(1813): UnsetRoutes: No route installed before
(T1500) 07/28/14 11:56:57:883 Error(13454): Wait timeout for process PanGpHip.exe
(T580) 07/28/14 11:57:25:242 Error(6122): pre-login error message: GlobalProtect gateway does not exist
(T580) 07/28/14 11:57:25:554 Error(6350): unexpected response from server.
(T580) 07/28/14 11:57:25:554 Error(5858): Failed to retrieve info for gateway 77.xxx.xxx.xxx
(T580) 07/28/14 11:57:25:554 Error(9094): NetworkDiscoverThread: failed to discover external network.
The only difference to the others is that we have Dynamic DHCP Client active on the Untrust Interface. However with 6.02 it still worked with this configuration. The Root and GP Certificates are valid and still the same as before we have updated to 6.03.
Does anyone know what the problem could be? Can't find anything in the knowledgebase so far.
Any chance you could explain what you mean by "override"? I'm experiencing a similar issue and nothing's changed so far as I can see but when I check the certificates under Device > Certificate Management > Certificates there is no "override" option as a setting on any of them? I should also mention the hardware is a 2050 with PANOS 5.0.11 - maybe the version & hardware make a difference? Clients receive the Client Certificate Error but the VPN still gets created and resources are still accessible, not sure if this is relevant?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!