GlobalProtect reports a "Client Certificate Error" but still connects

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

GlobalProtect reports a "Client Certificate Error" but still connects

Hello-

I'm running a PA-500 on with GlobalProtect for VPN access.  Just recently our users started experiencing an issue wherein they try to connect and receive a "Client Certificate Error" error dialog.  However, after they click OK to close the dialog, the agent connects anyway.  I investigated the issue myself and found what follows below.  Note that I initiated the connection at around 19:24 and closed it at around 19:33.

Environment:

Firewall OS: 5.0.14

GlobalProtect Client: 1.2.5-2

User OS: Windows 7 (all our users are Win 7, so I can't determine whether this is OS-specific)

The exported PanGPA log reports this at the time of making the connection:

(T4860) 03/15/15 19:24:39:713 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED

(T4860) 03/15/15 19:24:39:900 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED

(T2844) 03/15/15 19:24:48:683 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED

(T4328) 03/15/15 19:24:49:354 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED

(T3180) 03/15/15 19:24:57:154 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED

The exported PanGPS log reports this (I've removed IP addresses):

(T2080) 03/15/15 12:13:26:571 Error(  80): Failed to open sub key 'Software\Palo Alto Networks\VPN Agent\PanSetup'

(T2176) 03/15/15 19:24:39:619 Error(  95): SSL connect failed (error:00000001:lib(0):func(0):reason(1))

(T2176) 03/15/15 19:24:39:619 Error( 141): connect() failed

(T2176) 03/15/15 19:24:39:619 Error(7805): Protocol error. Check server certificate. Failed to ssl connect to '<Portal IP>:443', Disconect ssl and returns false.

(T2176) 03/15/15 19:24:45:891 Error(12151): pre-login error message: GlobalProtect portal does not exist

(T2176) 03/15/15 19:24:45:891 Error(8298): pan_obj_get_value() failed with tag client-cert. Returns false.

(T2176) 03/15/15 19:24:45:891 Error(11000): Failed to export client cert.

(T4256) 03/15/15 19:24:45:984 Error(  95): SSL connect failed (error:00000001:lib(0):func(0):reason(1))

(T4256) 03/15/15 19:24:45:984 Error( 141): connect() failed

(T4256) 03/15/15 19:24:45:984 Error(7805): Protocol error. Check server certificate. Failed to ssl connect to '<Portal IP>:443', Disconect ssl and returns false.

(T4264) 03/15/15 19:24:51:444 Error(13520): CheckHipMissingPatchInOtherProcess(): Wait timeout for process PanGpHipMp.exe

(T4264) 03/15/15 19:28:56:737 Error(13520): CheckHipMissingPatchInOtherProcess(): Wait timeout for process PanGpHipMp.exe

(T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[0] (0.0.0.0) failed (Element not found.)

(T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[1] (<Some IP 1>) failed (Element not found.)

(T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[2] (<Some IP 2>) failed (Element not found.)

(T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[3] (<Some IP 1>) failed (Element not found.)

(T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[4] (<Some IP 2>) failed (Element not found.)

(T2960) 03/15/15 19:32:49:270 Error(1739): UnsetRoutes: No route installed before

(T2960) 03/15/15 19:33:01:339 Error(1199): IpReleaseAddress done

(T2176) 03/15/15 19:33:01:558 Error(  95): SSL connect failed (error:00000001:lib(0):func(0):reason(1))

(T2176) 03/15/15 19:33:01:558 Error( 141): connect() failed

(T2176) 03/15/15 19:33:01:558 Error( 978): ConnectSSL: Failed to connect to '<Portal IP>:443'

(T2176) 03/15/15 19:33:01:558 Error(1025): ConnectSSL(false) failed

(T2176) 03/15/15 19:33:01:558 Error(1221): Logout: SendNReceive() failed

(T2176) 03/15/15 19:33:01:558 Error(2013): Disconnect: Logout() failed

One of the first things I did was check out the certificates assigned to the clients, and they all appear to be fine.  At least, nothing in them was changed or expired.  I also checked out the firewall's system logs and they don't give a hint of any error (they just show a successful authentication and connection), which leads me to believe that the error is completely client-side.  Does anybody have any input on this?  I like that my users can still connect, but for obvious reasons I don't like seeing certificate errors that are apparently being ignored...if the logs say "Failed to ssl connect" but it connects anyway, then what's it using to connect?  Not an unencrypted, non-SSL connection, I hope.  I'm hesitant to use the VPN until I can resolve this.

By the way, this seems to be a possibly related and unanswered question:

https://live.paloaltonetworks.com/message/43849

Thank you.

Highlighted
L4 Transporter

do you open support case ?

Highlighted
L1 Bithead

No, not yet.  I was going to check with the community first and then open a support case if nobody here knew anything.

Highlighted
L7 Applicator

Could you please check the certificate common name is an IP address or a FQDN. For example,  If the certificate is having IP address in the CN, you have to connect with IP from the GP client. Otherwise it will show you a certificate warning.

Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!