Global Protect - "A valid client certificate is required for authentication" but works correctly for X days after PA restart

Hi all,

Just putting this out there to see if anybody else has had similar issues.  If you have, I would really appreciate you letting me know please!

Palo Alto PA-820 - HA (active/passive) - PanOS 9.1.5

For several months we have had intermittent problems with Global Protect rejecting client certificates when our users try to connect to one of our HA pairs of Palo Altos.  Things work fine for several days, then we see just the occasional rejection, but usually within 24 hours of the first rejection, all client certificates are rejected by Global Protect.

If we fail over to the HA peer, client certificates are accepted again for several days until the same thing happens and we need to fail back.  Reboot, Repeat.

This issue first appeared when we were running PanOS 8.1 and has remained following an upgrade to 9.1.

We have several pairs of Palo Alto devices running PanOS 9.1 configured in the same way (although different models) and none of the others have suffered from this problem.  These all use the same client certificates / CAs and the Global Protect configuration is identical.

Some more relevant info:

• Both certificate and credentials (AD / SAML) are required to connect to Global Protect.
• CRLs are used and we have confirmed that valid CRLs are present at the time of the issue (we use 2 CAs).
• Restarting the sslvpn-web-server process does not help.
• Recent issues such as DP/MP time sync have been eliminated.

We have had a case open with Palo Alto support since August but little progress has been made.  The tech support file does not seem to contain any clues.  Additional debug level logs have been provided too but have not proved useful so far.

If you have had similar issues or have any suggestions for things to check while Palo Alto are reviewing my uploads, it would be really appreciated.

Thank you,

Dave