Open the certificate presented by the portal. Go to the details tab and then check the Signature Algorithm. This is where RSA SSA-PSA would be, if the certificate is using it. I doubt it though, in your case, as 2 machines are able to connect. We'd need to check the GP agent logs to figure out what's going on.
Could you please explain how to check certificates. What do you mean certificate presented by the portal?
I can't find in logs what certificate GlobalProtect try to use.
In mmc/certificates I can see many root certificates etc, ... not expired with different algorithms.
It works even from my hosted virtual machine under win8, but it does not work on my root machine Win10 ... and I can't find any difference.
Please your help could safe me from reinstalling my OS... ( my admin proposed it)
Are you sure your self signed root cert is installed on this client?
(T17360) 08/02/17 10:44:28:403 Error(1128): Failed to X509_LOOKUP_load_file (T17360) 08/02/17 10:44:28:403 Debug( 296): Open_SSL_connection: subject '/C=AU/O=somecompany Pty Limited/OU=PA/CN=pa3-vpn-gateway.somecompany.com' (T17360) 08/02/17 10:44:28:403 Debug( 300): Open_SSL_connection: issuer '/C=AU/O=somecompany Pty Limited/OU=PA/CN=vdcPAGlobalProtectCA' (T17360) 08/02/17 10:44:28:403 Info (5144): Root ca does not exist. (T17360) 08/02/17 10:44:28:403 Debug( 731): StandardizeIpv6Format host=pa3-vpn-gateway.somecompany.com (T17360) 08/02/17 10:44:28:403 Debug( 793): standardized name is pa3-vpn-gateway.somecompany.com (T17360) 08/02/17 10:44:28:403 Debug( 731): StandardizeIpv6Format host=pa3-vpn-gateway.somecompany.com (T17360) 08/02/17 10:44:28:403 Debug( 821): standardized common name is pa3-vpn-gateway.somecompany.com (T17360) 08/02/17 10:44:28:403 Debug( 942): Check domain name pa3-vpn-gateway.somecompany.com versus CN anme pa3-vpn-gateway.somecompany.com (T17360) 08/02/17 10:44:28:403 Debug( 905): Cert pa3-vpn-gateway.somecompany.com name check succeeded (T17360) 08/02/17 10:44:28:403 Debug(5157): Failed to verify gateway pa3-vpn-gateway.somecompany.com's server certificate using trusted root CA of portal configuration. (T17360) 08/02/17 10:44:28:403 Debug(5162): disconnect ssl.
Did you add this root cert also to the trusted root certs in the portal configuration?
@vsys_remo definitely its installed via a GPO.
Something interesting I have found during my testing.
if I clean / uninstall the GP client. and then download and re install, it does log into the gp portal and grab the config once, which is how it finds the int gateway. but once that is done then I have all the problems.
I have pointed my browser at portal and the gateways to check the certs and it all looks good.
Is your pa3-vpn-gateway somehow private/hidden so that only you (maybe with a local host entry) can connect?
The reason I am asking is because from my point of view, with the knowledge I have from your posts so far, there is a problem on pa3-vpn-gateway. I am able to resolve your gateway 1, 2 and the portal by DNS but not gateway 3. In addition, a TLS check shows the correct information for gateway 1, 2 and the portal and all 3 certs show the earlier mentionned self signes root cert. But on gateway 3 or better on the IP where I assume gateway 3 should be, the TLS check fails completely.
In an earlier post you wrote that other clients are working: what rules do you have in plave to decide which gateway will be chosen by the clients? All with the same priority or based on usergroups ... So rhe working clients, do they also try to connect to gateway 3?
Of course ... would have been too easy, if that was the solution :P
At the times of these failing connections: is there something useful or at least regarding that client in the system log of your portal and/or gateway (s)?
So a short recap: @Alex_Samad
In addition to this discussion you probably also want to open a TAC case...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!