iPad App fails to connect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

iPad App fails to connect

L3 Networker

I have the global protect license and an active global protect subscription.  Windows Laptops, Mac Laptops, and Android devices (using the app) can connect and access network resources.  However I try with the iPad and it fails immediately.  I get "Cannot connect to Global Protect.  There appears to be a problem with your Internet connection or the GlobalProtect network.  If the issue is persistent, contact your IT help desk."  I see in the logs that the certificate could not be validated but I know there is nothing wrong with it.  It works great on the other platforms.  I am running Global Protect App 1.3.1-10 with iOS 6.1.3.  I have tried a few different Internet connections as well and they all have the same behavior.  Also, I removed the app from the iPad and reinstalled.  Still no luck.

P 344-T12035 Aug 09 18:36:03:717856 Error( 804): didFailWithError: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x1c55bf90 {NSErrorFailingURLKey=https://198.199.129.150:443/ssl-vpn/prelogin.esp, NSErrorFailingURLStringKey=https://198.199.129.150:443/ssl-vpn/prelogin.esp}

P 344-T12035 Aug 09 18:36:03:721530 Debug( 242): Server certificate verification failed Error Domain=GPErrorDomain Code=3 "The operation couldn’t be completed. (GPErrorDomain error 3.)" UserInfo=0x1c669c40 {trustChain=(

        {

        Certificate = "<cert(0x1d041800) s: vpn.celadontrucking.com i: RapidSSL CA>";

    },

        {

        Certificate = "<cert(0x1c669010) s: RapidSSL CA i: GeoTrust Global CA>";

    }

), ServerCert=<cert(0x1d041800) s: vpn.celadontrucking.com i: RapidSSL CA>}

P 344-T12035 Aug 09 18:36:03:721651 Debug(2918): Show Gateway WAN: Server certificate verification failed

P 344-T12035 Aug 09 18:36:03:721902 Error(1941): Failed to verify server certificate of gateway 198.199.129.150.

P 344-T12035 Aug 09 18:36:03:721974 Debug(2918): Show Gateway WAN: Server certificate verification failed

P 344-T12035 Aug 09 18:36:03:722025 Debug(1944): Failed to pre-login to the gateway 198.199.129.150

P 344-T12035 Aug 09 18:36:03:722074 Error(1353): Failed to retrieve info for gateway 198.199.129.150.

P 344-T12035 Aug 09 18:36:03:722120 Debug( 599): session cleanup.

P 344-T12035 Aug 09 18:36:03:722181 Debug(1362): tunnel to 198.199.129.150 is not created.

P 344-T12035 Aug 09 18:36:03:722231 Error(2023): NetworkDiscoverThread: failed to discover external network.

P 344-T12035 Aug 09 18:36:03:722283 Debug(2689): Set state to Disconnected

P 344-T12035 Aug 09 18:36:03:726464 Debug(2058): NetworkDiscoverThread: m_nPortalStatus is 1, m_bHasLoggedOnGateway is 0

P 344-T12035 Aug 09 18:36:03:726611 Debug(2074): Network discovery is not ready, set GP VPN status as disconnected

P 344-T12035 Aug 09 18:36:03:726672 Debug(2689): Set state to Disconnected

P 344-T1799  Aug 09 18:36:03:742072 Debug( 262): Received message, session-1, msgtype-5

1 accepted solution

Accepted Solutions

So, I gather that the Cert that you are using is correctly set up with the FQDN as the common name.

Now, in the client tab of the portal config, the gateway list...is that configured with the Ip or with the FQDN.

Also, has the cert authority been specified as a "trusted root CA" in the set up?

View solution in original post

6 REPLIES 6

L7 Applicator

In your GP gateway configuration, are you specifying the CN in the cert (it appears to be "vpn.celadontrucking.com") or the IP address (198.199.129.150)? They should match for the connection to work. So if the cert has the fqdn, the gateway address you list should also be the fqdn.

The other common issue with chained certs is that the full chain (minus the root) should be imported when adding the cert to your firewall. Check out this doc:

https://live.paloaltonetworks.com/docs/DOC-4289

Hopefully one of the two will work for you.

Greg

The cert is correct. The FQDN is correct.  I am trying to connect with the FQDN on the iPad and it is failing.  All of my devices use vpn.celadontrucking.com.  We do not use the IP as we get a certificate mismatch.  The full certificate chain is also in place.

I've also reset the network settings on the iPad and it is still failing.

So, I gather that the Cert that you are using is correctly set up with the FQDN as the common name.

Now, in the client tab of the portal config, the gateway list...is that configured with the Ip or with the FQDN.

Also, has the cert authority been specified as a "trusted root CA" in the set up?

Cert does have the FQDN.  Next, there is an IP in the gateway list.  Finally the trusted root CA is set.

I changed the Gateway list to the FQDN as well and it is working.  Didn't even think of checking that spot as the other clients were working.

  • 1 accepted solution
  • 6247 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!