Just putting this out there to see if anybody else has had similar issues. If you have, I would really appreciate you letting me know please!
Palo Alto PA-820 - HA (active/passive) - PanOS 9.1.5
For several months we have had intermittent problems with Global Protect rejecting client certificates when our users try to connect to one of our HA pairs of Palo Altos. Things work fine for several days, then we see just the occasional rejection, but usually within 24 hours of the first rejection, all client certificates are rejected by Global Protect.
If we fail over to the HA peer, client certificates are accepted again for several days until the same thing happens and we need to fail back. Reboot, Repeat.
This issue first appeared when we were running PanOS 8.1 and has remained following an upgrade to 9.1.
We have several pairs of Palo Alto devices running PanOS 9.1 configured in the same way (although different models) and none of the others have suffered from this problem. These all use the same client certificates / CAs and the Global Protect configuration is identical.
Some more relevant info:
We have had a case open with Palo Alto support since August but little progress has been made. The tech support file does not seem to contain any clues. Additional debug level logs have been provided too but have not proved useful so far.
If you have had similar issues or have any suggestions for things to check while Palo Alto are reviewing my uploads, it would be really appreciated.
I ran into this exact same issue a while backchat wasn't being solved by software and just got to be extremely annoying more than anything else. I eventually just reinstalled from maintenance mode on the two HA hosts and restored the configuration. That actually fixed it and I haven't had any issues with those two hosts since. Never did actually figure out what was causing the issue, but that thankfully fixed it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!