GlobalProtect OCSP validation not working

cancel
Showing results for 
Search instead for 
Did you mean: 

GlobalProtect OCSP validation not working

L1 Bithead

Hi,

 

OCSP verification configured in a Certificate Profile on my Palo Alto 3020 doesn't seems to work.

 

My GlobalProtect configuration with pre-logon is working with machine certificate but when I want to see the status of the OCSP cache on the Palo, I've an unavailable status :

 

debug sslmgr view ocsp all

Current time is: Thu Feb 2 10:21:28 2017

Count Serial Number (HEX) Status Next Update Revocation Time Reason
Issuer Name Hash
OCSP Responder URL
------- ---------------------------------------- ----------- ------------------------ ------------------------ ----------
[ 1] 44000001565A923152F9A9E91A000000000156 unavailable Feb 02 08:20:44 2017 GMT

 

Here is the error in the sslmgr.log :

 

2017-02-02 11:42:30.124 +0100 Warning: pan_ocsp_query_responder(pan_crl.c:2039): sat_verify_certs(/opt/pancfg/certificates/ocsp-verify-ca-4/all_verify_certs_sat) doesnot exist.
2017-02-02 11:42:30.125 +0100 Error: pan_ocsp_parse_response(pan_crl.c:1460): [OCSP] The result of Certificate status query is unavailable for serial number[440000056D26FE31762285F22F00000000056D] and uri[http://ocsp.dummy.com/ocsp]
2017-02-02 11:42:30.125 +0100 Error: pan_ocsp_fetch_ocsp(pan_crl.c:2287): pan_ocsp_parse_response() failed

 

Yes, I've activated the NONCE support on my Microsoft OCSP Responder as mentionned here :

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/OCSP-Validation-of-Client-Certificate-No...

 

I've done a capture on the firewall and I see the packets OCSP Request and OCSP Response but Palo Alto

 

ocsp-request.png

 

ocsp-response.png

 

Idea anyone ?

1 REPLY 1

L0 Member

Did you ever find a resolution to this issue?  I am having the same problem.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!