GlobalProtect behind NAT/PAT Cetificate Issue.

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

GlobalProtect behind NAT/PAT Cetificate Issue.

Hi,

 

I'm configuring my GlobalProtect VPN and Agent keep saying "CN name mismatch".

 

Here's my infrastructure : Drawing1.png

The PA220 is behind the NAT of the ISP and all connexions on WAN_IP (that is the public IP) are translated to the address 192.168.7.1. As port 443 is already used, we're using WAN_IP:10443 that translates to 192.168.7.1:443 for the GlobalProtect.

 

Here's situated the problem. For the GP gateway certificate I must specify the CN that has to be WAN_IP:10443.

The Agent keeps prompting "The certificate CN name mismatch. The certificate is not issued to WAN_IP:10443". But when I open the certificate, it is issued to WAN_IP:10443...

 

I can continue ignoring this warning but it can't connect and prompts "my gateway : server certificate verification failed"

 

Any help please ?

 

BR,

 

Nael


Accepted Solutions
Highlighted
Cyber Elite

Hi @Naelwan

 

From your post I assume you created a self signed CA and certificate on your PA220. Is that correct?

If yes: did you import the root CA cert into your clients certificate trust store? And in addition you also need to specify the Root CA cert as trusted root CA in your global protect portal configuration.

 

And: How exactly did you create the certificate? Did you also add the wan IP as "IP" attribute in the certificate?

View solution in original post


All Replies
Highlighted
Cyber Elite

Hi @Naelwan

 

From your post I assume you created a self signed CA and certificate on your PA220. Is that correct?

If yes: did you import the root CA cert into your clients certificate trust store? And in addition you also need to specify the Root CA cert as trusted root CA in your global protect portal configuration.

 

And: How exactly did you create the certificate? Did you also add the wan IP as "IP" attribute in the certificate?

View solution in original post

Highlighted
L1 Bithead

Hi @vsys_remo

 

Self signed CA on the PA220, yes.

Root CA cert is imported and specified in the portal conf.

 

I created the certificate with only the Wan IP in the Subject, just tried with the IP attribute with the WAN IP, It now works.

 

Thanks for your very reactive answers and your knowledge. Really appreciate it.

 

BR 

 

Nael

Highlighted
L1 Bithead

Well, @vsys_remo, it worked only one time. from second try to now on : no more warning prompt but after network and config detection, i have the same error "gateway : server certificate verification failed" 

 

There has been no modification made to the PA220 config between 1st and 2nd tries.

 

EDIT : 

All I can see in the logs are :

Failed to connect to 192.168.7.1 on 443 (error: 0)

So obviously, agent-side gateway was misconfigured as it was pointing the PA220 interface and not the Public IP Address.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!