Setting up second gateway: Gives Cert CN error

Reply
L2 Linker

Setting up second gateway: Gives Cert CN error

Hello all,

I have a (working) Global Protect Portal+Gateway envrionment. I am now trying to setup a gateway in a second datacenter. I have setup the same GP-cert and Client-Cert, cert_Profile and GP Gateway settings. The gateway works, when setting a portal on the second datacenter machine and logging on through it, but not when using the original portal.

I see in the client logs it is trying to connect, and then gives me this error:

(T5312) 10/11/13 15:11:40:830 Debug(2597): winhttpObj, HandleHttpsRequest, url = /

(T5312) 10/11/13 15:11:40:830 Info (1914): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_HANDLE_CREATED, this=0000000002D2C320)

(T5312) 10/11/13 15:11:40:830 Info (1914): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_HANDLE_CREATED, this=0000000002D2C320)

(T5312) 10/11/13 15:11:40:830 Info (2705): winhttpObj->SendRequest, first try

(T5312) 10/11/13 15:11:40:830 Info (1134): winhttpObj, SendRequest, bIngoreClientCert=0

(T5312) 10/11/13 15:11:40:831 Info (1914): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_RESOLVING_NAME, this=0000000002D2C320)

(T5312) 10/11/13 15:11:40:831 Info (1914): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_NAME_RESOLVED, this=0000000002D2C320)

(T5312) 10/11/13 15:11:40:831 Info (1914): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_CONNECTING_TO_SERVER, this=0000000002D2C320)

(T5312) 10/11/13 15:11:40:831 Debug(2984): send alive message now 3

(T2936) 10/11/13 15:11:40:886 Info (1914): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_CONNECTED_TO_SERVER, this=0000000002D2C320)

(T6300) 10/11/13 15:11:40:892 Info (1914): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, this=0000000002D2C320)

(T6300) 10/11/13 15:11:40:892 Debug(1981): WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, error=12044, result=5

(T5312) 10/11/13 15:11:40:893 Info (1170): winhttpObj, get WINHTTP_CALLBACK_STATUS_REQUEST_ERROR

(T5312) 10/11/13 15:11:40:893 Error(1199): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED

(T5312) 10/11/13 15:11:40:893 Info (1225): winhttpObj, set client cert name <bla bla>, remote.<domain>.com

(T5312) 10/11/13 15:11:40:893 Info (1229): winhttpObj, reuse cert 000000000690D9E0

(T5312) 10/11/13 15:11:40:894 Info (1914): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_RESOLVING_NAME, this=0000000002D2C320)

(T5312) 10/11/13 15:11:40:894 Info (1914): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_NAME_RESOLVED, this=0000000002D2C320)

(T5312) 10/11/13 15:11:40:894 Info (1914): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_CONNECTING_TO_SERVER, this=0000000002D2C320)

(T6300) 10/11/13 15:11:40:899 Info (1914): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_CONNECTED_TO_SERVER, this=0000000002D2C320)

(T6300) 10/11/13 15:11:40:963 Info (1914): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_SECURE_FAILURE, this=0000000002D2C320)

(T6300) 10/11/13 15:11:40:963 Info (1927): winhttpObj, dwCertError is:

(T6300) 10/11/13 15:11:40:963 Info (1932): WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID

(T6300) 10/11/13 15:11:40:963 Info (1914): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, this=0000000002D2C320)

(T6300) 10/11/13 15:11:40:963 Debug(1981): WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, error=12175, result=5

(T5312) 10/11/13 15:11:40:964 Info (1170): winhttpObj, get WINHTTP_CALLBACK_STATUS_REQUEST_ERROR

(T5312) 10/11/13 15:11:40:964 Info (1172): winhttpObj, ERROR_WINHTTP_SECURE_FAILURE set

(T5312) 10/11/13 15:11:40:964 Error(1199): error = ERROR_WINHTTP_SECURE_FAILURE

(T5312) 10/11/13 15:11:40:964 Debug( 768): Server <IP address 2nd gateway> cert chain has been created.

(T5312) 10/11/13 15:11:40:964 Debug( 782): Server <IP address 2nd gateway> cert verification passed

(T5312) 10/11/13 15:11:40:964 Debug( 806): Check server certificate revocation returns TRUE

(T5312) 10/11/13 15:11:40:964 Debug( 895): The length of the serialized string is 986.

(T5312) 10/11/13 15:11:40:964 Debug( 912): The encoded element has been serialized.

(T5312) 10/11/13 15:11:40:968 Debug( 335): Active session id is 1

(T5312) 10/11/13 15:11:40:979 Debug( 103): Found PanGPA pid 3224

(T5312) 10/11/13 15:11:40:979 Debug( 107): Found active PanGPA pid is 3224

(T5312) 10/11/13 15:11:40:980 Debug(  63): pan_get_full_path(): full path in multibyte char is C:\Users\stephan.van.der.plas\ServerCert.pan

(T5312) 10/11/13 15:11:40:981 Debug( 923): SerializeServerCert(): wrote 986 of 986 bytes to file C:\Users\stephan.van.der.plas\ServerCert.pan.

(T5312) 10/11/13 15:11:40:981 Info (1914): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_HANDLE_CLOSING, this=0000000002D2C320)

(T5312) 10/11/13 15:11:40:983 Info ( 516): wait for closing callback success!

(T3520) 10/11/13 15:11:41:421 Debug(1869): enum result is 0000000000000000

(T3520) 10/11/13 15:11:41:421 Debug(1895): gbCheckInsertSmardCard is false, quit the enum loop

(T960) 10/11/13 15:11:41:437 Debug(1869): enum result is 0000000000000000

(T960) 10/11/13 15:11:41:437 Debug(1895): gbCheckInsertSmardCard is false, quit the enum loop

What can I do to make this work via the existing portal?

Regards,

Stephan van der Plas

Highlighted
L6 Presenter

why do you want to use same portal ?

when using same portal how do you seperate(configuration of portal) gateways ?

Highlighted
L5 Sessionator

Multiple gateways to single portal requires a GP Portal license on your portal firewall. Otherwise you cannot configure your second gateway on the 1st firewall. Do you have the license properly installed for GP Portal? Easiest way to check would be on GUI goto Device tab > Licenses.

-Richard

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!