Please help me about sslmgr error !!!

L0 Member

Please help me about sslmgr error !!!

I have configure LSVPN that is kind of SSL VPN via GlobalProtect . I have One HeadQuater and fews Branchs connecto to HQ via VPN with GlobalProtect. Both Headquarter and Branch have PaloAlto.

Each Branch have two ipsec connections  to Headquarter. After configuring , i see that only one connection is active , another connection is inactive. I don't know what is problem.

Here is some my ideas :

     I haven't actived licences yet, I wonder there is any problem with license for GlobalProtect . I just using GlobalProtect to make ipsec vpn for PA to PA.

     When i capture packet from PA which is connect to Headquarter, I see in system log " SSLMGR certificate ocsp verification failed.Certificate 0D status is unknown " . That is I don't know what is problem. I don't have any experience with Certificate in PaloAlto.

Please help me , this is emergency because i am working on project with my customer.

thank alot

L5 Sessionator

Can you check if the Any options are enabled or checked under the following settings:

Device>Setup>Session> Decryption CertificateRevocation Settings

Uncheck if checked if you do not need them


Not applicable

I have a very similar problem.

I have LSVPN working between 12 PA appliances. All spoke appliances report "SSLMGR certificate ocsp verification failed.Certificate XX status is unknown".

Device>Setup>Session> Decryption CertificateRevocation Settings is all unchecked in both hub and spokes.

I'm using self-signed certificate from HUB appliance, configured with OCSP responder following LSVPN instructions.

The same certificate has been imported on spokes and since then the LSVPN has been working well, but I keep seeing the error message in all spokes.

What should I configure on spokes regarding OCSP to fix this message?

Thanks in advance!

L5 Sessionator

Hi Minh,

As far as i know  CRL uses wget to retrieve the file. Currently firewall does not support for crl https and you will see this error. If you set it up as http it should work. Please give a try and see if that resolves the issue. If you find out having CRL as https is not working and with http it is working you can request your Local Sales Engineer to file a Feature request on your behalf.

Thank you

L2 Linker

Hi Filipe,

I had the same issue as you did, have you fixed the error message you got? If you did, can you please share with me what are the fixes?




Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!