Global Protect - "A valid client certificate is required for authentication" but works correctly for X days after PA restart

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect - "A valid client certificate is required for authentication" but works correctly for X days after PA restart

L4 Transporter

Hi all,

 

Just putting this out there to see if anybody else has had similar issues.  If you have, I would really appreciate you letting me know please!

 

Palo Alto PA-820 - HA (active/passive) - PanOS 9.1.5

 

For several months we have had intermittent problems with Global Protect rejecting client certificates when our users try to connect to one of our HA pairs of Palo Altos.  Things work fine for several days, then we see just the occasional rejection, but usually within 24 hours of the first rejection, all client certificates are rejected by Global Protect.

 

If we fail over to the HA peer, client certificates are accepted again for several days until the same thing happens and we need to fail back.  Reboot, Repeat.

 

This issue first appeared when we were running PanOS 8.1 and has remained following an upgrade to 9.1.

 

We have several pairs of Palo Alto devices running PanOS 9.1 configured in the same way (although different models) and none of the others have suffered from this problem.  These all use the same client certificates / CAs and the Global Protect configuration is identical.

 

Some more relevant info:

  • Both certificate and credentials (AD / SAML) are required to connect to Global Protect.
  • CRLs are used and we have confirmed that valid CRLs are present at the time of the issue (we use 2 CAs).
  • Restarting the sslvpn-web-server process does not help.
  • Recent issues such as DP/MP time sync have been eliminated.

We have had a case open with Palo Alto support since August but little progress has been made.  The tech support file does not seem to contain any clues.  Additional debug level logs have been provided too but have not proved useful so far.

 

If you have had similar issues or have any suggestions for things to check while Palo Alto are reviewing my uploads, it would be really appreciated.

 

Thank you,

Dave

 

2 REPLIES 2

Cyber Elite
Cyber Elite

@DavePalo,

I ran into this exact same issue a while backchat wasn't being solved by software and just got to be extremely annoying more than anything else. I eventually just reinstalled from maintenance mode on the two HA hosts and restored the configuration. That actually fixed it and I haven't had any issues with those two hosts since. Never did actually figure out what was causing the issue, but that thankfully fixed it. 

Thank you @BPry ,

It is good to hear that somebody else has seen this issue before - it's not just me!

If support are unable to find the issue soon I will try reinstalling as you did.  Thanks for the tip!

Best regards,

Dave

  • 8936 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!