09-29-2019 03:14 PM
I have a Pa220 and its using DHCP for untrust interface. I have followed about 40 documents and knowledgebases and still have no success with connecting my iphone to the palo via global protect. I am using self generated cert. I have collected the logs from the GP client but, I do not know what I am looking for to see what the issue is.
09-29-2019 09:28 PM
This is first time i am seeing GP with iphone.
Is this prod or test env?
What error message u get on the GP?
What is the address of the Portal?
09-29-2019 11:20 PM
Hello @Stevenjwilliams83 , can you confirm that do you have valid GlobalProtect gateway license?
09-30-2019 04:35 AM
I have global protect gateway and portal licensing. I am testing at my home on my 220, but this going to be a request at my place of employment for sure when we roll it out.
The logs are showing some errors but not sure what to look for.
P7694-T11531 Sep 29 17:08:36:652833 Error( 522): Server trust evalutaion failed: 5
connection: 0x10440aff0, type: 1, host: [globalprotect.thenetworktransit.com:443], original host: [globalprotect.thenetworktransit.com], alwaysTrust: 0
session: <__NSURLSessionLocal: 0x104711e40> -[GPURLConnection session] <NSOperationQueue: 0x1047119a0>{name = 'NSOperationQueue 0x1047119a0'}
identity: (null)
scepIdentity: (null)
connectionGroup: <OS_dispatch_group: 0x10440b120>
distinguishedNames: (null)
request: <NSMutableURLRequest: 0x104423e50> { URL: https://globalprotect.thenetworktransit.com:443/global-protect/prelogin.esp }
response: (null)
responseError: (null)
isHandshakeStarted: 1
trustedServerCertificates: (null)
priorityIdentities: (null)
serverCertificatesChain: (
"<cert(0x108807800) s: globalprotect.thenetworktransit.com i: IntermediateCert>",
"<cert(0x10482ce00) s: IntermediateCert i: RootCert>",
"<cert(0x10482d400) s: RootCert i: RootCert>"
)
trustExceptionSHA256: ad:ff:f0:47:92:39:d2:db:15:29:21:ad:54:a3:bf:6c:d9:f4:48:01:d0:fe:d4:36:98:12:65:b1:20:ad:b9:ca
error: Error Domain=GPURLConnectionErrorDomain Code=2 "(null)" UserInfo={ServerCert=<cert(0x108807800) s: globalprotect.thenetworktransit.com i: IntermediateCert>, trustChain=(
{
Certificate = "<cert(0x108807800) s: globalprotect.thenetworktransit.com i: IntermediateCert>";
Property = {
type = error;
value = "Root certificate is not trusted.";
};
},
{
Certificate = "<cert(0x10500a400) s: IntermediateCert i: RootCert>";
Property = "<null>";
},
{
Certificate = "<cert(0x10500aa00) s: RootCert i: RootCert>";
Property = "<null>";
}
)}
connectTimeout: 5
receiveTimeout: 30
responseData(0): (null)
P7694-T12803 Sep 29 17:08:36:655791 Error( 391): Connection error Error Domain=NSURLErrorDomain Code=-999 "cancelled" UserInfo={NSErrorFailingURLStringKey=https://globalprotect.thenetworktransit.com:443/global-protect/prelogin.esp, NSLocalizedDescription=cancelled, NSErrorFailingURLKey=https://globalprotect.thenetworktransit.com:443/global-protect/prelogin.esp}
response:(null)
connection: 0x10440aff0, type: 1, host: [globalprotect.thenetworktransit.com:443], original host: [globalprotect.thenetworktransit.com], alwaysTrust: 0
session: <__NSURLSessionLocal: 0x104711e40> -[GPURLConnection session] <NSOperationQueue: 0x1047119a0>{name = 'NSOperationQueue 0x1047119a0'}
identity: (null)
scepIdentity: (null)
connectionGroup: <OS_dispatch_group: 0x10440b120>
distinguishedNames: (null)
request: <NSMutableURLRequest: 0x104423e50> { URL: https://globalprotect.thenetworktransit.com:443/global-protect/prelogin.esp }
response: (null)
responseError: Error Domain=NSURLErrorDomain Code=-999 "cancelled" UserInfo={NSErrorFailingURLStringKey=https://globalprotect.thenetworktransit.com:443/global-protect/prelogin.esp, NSLocalizedDescription=cancelled, NSErrorFailingURLKey=https://globalprotect.thenetworktransit.com:443/global-protect/prelogin.esp}
isHandshakeStarted: 1
trustedServerCertificates: (null)
priorityIdentities: (null)
serverCertificatesChain: (
"<cert(0x108807800) s: globalprotect.thenetworktransit.com i: IntermediateCert>",
"<cert(0x10482ce00) s: IntermediateCert i: RootCert>",
"<cert(0x10482d400) s: RootCert i: RootCert>"
)
trustExceptionSHA256: ad:ff:f0:47:92:39:d2:db:15:29:21:ad:54:a3:bf:6c:d9:f4:48:01:d0:fe:d4:36:98:12:65:b1:20:ad:b9:ca
error: Error Domain=GPURLConnectionErrorDomain Code=2 "(null)" UserInfo={ServerCert=<cert(0x108807800) s: globalprotect.thenetworktransit.com i: IntermediateCert>, trustChain=(
{
09-30-2019 10:35 AM
How did you copy the Portal and Device or User certificates to your IOS devices?
You need to create Certificate Profiles with a MDM or Apple IOS Device Manager (available for MacOS).
09-30-2019 10:36 AM
HA!! That is the missing piece. For some reason I was thinking i didnt need to do that cause normally for a prod use I would get trusted 3rd party and wouldnt need to.
09-30-2019 04:38 PM
I cannot seem to find device manager for mac...have a link for it?
10-01-2019 04:04 AM
Sorry, it's called Apple Configurator 2:
https://apps.apple.com/de/app/apple-configurator-2/id1037126344?mt=12
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
