02-02-2017 03:21 AM
Hi,
OCSP verification configured in a Certificate Profile on my Palo Alto 3020 doesn't seems to work.
My GlobalProtect configuration with pre-logon is working with machine certificate but when I want to see the status of the OCSP cache on the Palo, I've an unavailable status :
debug sslmgr view ocsp all
Current time is: Thu Feb 2 10:21:28 2017
Count Serial Number (HEX) Status Next Update Revocation Time Reason
Issuer Name Hash
OCSP Responder URL
------- ---------------------------------------- ----------- ------------------------ ------------------------ ----------
[ 1] 44000001565A923152F9A9E91A000000000156 unavailable Feb 02 08:20:44 2017 GMT
Here is the error in the sslmgr.log :
2017-02-02 11:42:30.124 +0100 Warning: pan_ocsp_query_responder(pan_crl.c:2039): sat_verify_certs(/opt/pancfg/certificates/ocsp-verify-ca-4/all_verify_certs_sat) doesnot exist.
2017-02-02 11:42:30.125 +0100 Error: pan_ocsp_parse_response(pan_crl.c:1460): [OCSP] The result of Certificate status query is unavailable for serial number[440000056D26FE31762285F22F00000000056D] and uri[http://ocsp.dummy.com/ocsp]
2017-02-02 11:42:30.125 +0100 Error: pan_ocsp_fetch_ocsp(pan_crl.c:2287): pan_ocsp_parse_response() failed
Yes, I've activated the NONCE support on my Microsoft OCSP Responder as mentionned here :
I've done a capture on the firewall and I see the packets OCSP Request and OCSP Response but Palo Alto
Idea anyone ?
04-21-2021 07:42 AM
Did you ever find a resolution to this issue? I am having the same problem.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
