08-09-2013 04:32 PM
I have the global protect license and an active global protect subscription. Windows Laptops, Mac Laptops, and Android devices (using the app) can connect and access network resources. However I try with the iPad and it fails immediately. I get "Cannot connect to Global Protect. There appears to be a problem with your Internet connection or the GlobalProtect network. If the issue is persistent, contact your IT help desk." I see in the logs that the certificate could not be validated but I know there is nothing wrong with it. It works great on the other platforms. I am running Global Protect App 1.3.1-10 with iOS 6.1.3. I have tried a few different Internet connections as well and they all have the same behavior. Also, I removed the app from the iPad and reinstalled. Still no luck.
P 344-T12035 Aug 09 18:36:03:717856 Error( 804): didFailWithError: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x1c55bf90 {NSErrorFailingURLKey=https://198.199.129.150:443/ssl-vpn/prelogin.esp, NSErrorFailingURLStringKey=https://198.199.129.150:443/ssl-vpn/prelogin.esp}
P 344-T12035 Aug 09 18:36:03:721530 Debug( 242): Server certificate verification failed Error Domain=GPErrorDomain Code=3 "The operation couldn’t be completed. (GPErrorDomain error 3.)" UserInfo=0x1c669c40 {trustChain=(
{
Certificate = "<cert(0x1d041800) s: vpn.celadontrucking.com i: RapidSSL CA>";
},
{
Certificate = "<cert(0x1c669010) s: RapidSSL CA i: GeoTrust Global CA>";
}
), ServerCert=<cert(0x1d041800) s: vpn.celadontrucking.com i: RapidSSL CA>}
P 344-T12035 Aug 09 18:36:03:721651 Debug(2918): Show Gateway WAN: Server certificate verification failed
P 344-T12035 Aug 09 18:36:03:721902 Error(1941): Failed to verify server certificate of gateway 198.199.129.150.
P 344-T12035 Aug 09 18:36:03:721974 Debug(2918): Show Gateway WAN: Server certificate verification failed
P 344-T12035 Aug 09 18:36:03:722025 Debug(1944): Failed to pre-login to the gateway 198.199.129.150
P 344-T12035 Aug 09 18:36:03:722074 Error(1353): Failed to retrieve info for gateway 198.199.129.150.
P 344-T12035 Aug 09 18:36:03:722120 Debug( 599): session cleanup.
P 344-T12035 Aug 09 18:36:03:722181 Debug(1362): tunnel to 198.199.129.150 is not created.
P 344-T12035 Aug 09 18:36:03:722231 Error(2023): NetworkDiscoverThread: failed to discover external network.
P 344-T12035 Aug 09 18:36:03:722283 Debug(2689): Set state to Disconnected
P 344-T12035 Aug 09 18:36:03:726464 Debug(2058): NetworkDiscoverThread: m_nPortalStatus is 1, m_bHasLoggedOnGateway is 0
P 344-T12035 Aug 09 18:36:03:726611 Debug(2074): Network discovery is not ready, set GP VPN status as disconnected
P 344-T12035 Aug 09 18:36:03:726672 Debug(2689): Set state to Disconnected
P 344-T1799 Aug 09 18:36:03:742072 Debug( 262): Received message, session-1, msgtype-5
08-09-2013 05:49 PM
So, I gather that the Cert that you are using is correctly set up with the FQDN as the common name.
Now, in the client tab of the portal config, the gateway list...is that configured with the Ip or with the FQDN.
Also, has the cert authority been specified as a "trusted root CA" in the set up?
08-09-2013 04:59 PM
In your GP gateway configuration, are you specifying the CN in the cert (it appears to be "vpn.celadontrucking.com") or the IP address (198.199.129.150)? They should match for the connection to work. So if the cert has the fqdn, the gateway address you list should also be the fqdn.
The other common issue with chained certs is that the full chain (minus the root) should be imported when adding the cert to your firewall. Check out this doc:
https://live.paloaltonetworks.com/docs/DOC-4289
Hopefully one of the two will work for you.
Greg
08-09-2013 05:31 PM
The cert is correct. The FQDN is correct. I am trying to connect with the FQDN on the iPad and it is failing. All of my devices use vpn.celadontrucking.com. We do not use the IP as we get a certificate mismatch. The full certificate chain is also in place.
08-09-2013 05:32 PM
I've also reset the network settings on the iPad and it is still failing.
08-09-2013 05:49 PM
So, I gather that the Cert that you are using is correctly set up with the FQDN as the common name.
Now, in the client tab of the portal config, the gateway list...is that configured with the Ip or with the FQDN.
Also, has the cert authority been specified as a "trusted root CA" in the set up?
08-09-2013 06:04 PM
Cert does have the FQDN. Next, there is an IP in the gateway list. Finally the trusted root CA is set.
08-09-2013 06:12 PM
I changed the Gateway list to the FQDN as well and it is working. Didn't even think of checking that spot as the other clients were working.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
