Global Protect "Server Certificate Verification Failed" Multiple Gateways

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect "Server Certificate Verification Failed" Multiple Gateways

Not applicable

We are unable to get multiple gateways working correctly with Global Protect.  When we have one portal and one gateway, clients are able to successfully connect and establish a VPN tunnel.  With two gateways we get the following error from both the originally setup gateway and the gateway we are attempting to add: "Gateway x.x.x.x: Server Certificate Verification Failed" in the Global Protect Client -> Status -> Warnings/Errors dialogue.

Setup information:

Portal Hardware: PA-2050

Portal OS: 5.0.3

Gateway 1: Same as Portal above

Gateway 2 Hardware: PA-200

Gateway 2 OS: 5.0.3

Global Protect Portal License: YES

Global Protect Gateway 1 License: YES

Global Protect Gateway 2 License: YES

Certificate Authority Information:

Microsoft Server CA 2012

Portal - CSR issued to MS CA

Gateway 1 - CSR issued to MS CA

Gateway 2 - CSR issued to MS CA

Clients - Machine Certificate pre-installed via GPO from MS CA

1 accepted solution

Accepted Solutions

Not applicable

Network -> Global Protect -> Portals -> <profile name> -> Client Config -> <config name> -> Gateways -> External Gateways -> "Address" == <FQDN> && != <IP Address>

Translation: Make sure that you use the Fully Qualified Domain Name (FQDN) in Gateway Certificate and NOT the IP address for the gateway in the "Address" field of External Gateways.

This is not totally obvious to me as "Address" usually means "IP Address" and "URL" or "FQDN" or "Domain" usually means the domain name of something.

View solution in original post

2 REPLIES 2

Not applicable

Network -> Global Protect -> Portals -> <profile name> -> Client Config -> <config name> -> Gateways -> External Gateways -> "Address" == <FQDN> && != <IP Address>

Translation: Make sure that you use the Fully Qualified Domain Name (FQDN) in Gateway Certificate and NOT the IP address for the gateway in the "Address" field of External Gateways.

This is not totally obvious to me as "Address" usually means "IP Address" and "URL" or "FQDN" or "Domain" usually means the domain name of something.

THANK YOU SO MUCH !

It was not obvious to me AT ALL.

If you buy a certificate and you don't want any errors and have the Portal and Gateway fully certified by the external CA it simply won't work!

I just spent exactly 2h and 28 minutes figuring out why the heck I continue to receive "Server certificate verification failed" error.

I even posted some screenshots here for help.

Then, I got to your post, changed the "ADDRESS" field which obviously is NOT address but FQDN and I'm in.

No Error, all connected just fine.

You should get like 5 starts for this hint.

Thanks a lot Manilla.

BR

Mariusz

  • 1 accepted solution
  • 19438 Views
  • 2 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!