Since upgrade globalprotect 2.1 certificate problems

Reply
Highlighted
L2 Linker

Since upgrade globalprotect 2.1 certificate problems

Hi all,

We experiencing a problem with the new version of Global Protect 2.1.We have PA 6.0.3. We use a 3th party as authenticaton manager. The problem appears with the certificate of the gateway : we use forthis certificate a wildcard signed certificate. All the gp clients upgraded to this version receive the following error : Gateway external_gateway_2: Server certificate verification failed. With version 2.0.x , this problem didnt arrive. This is no problem with all clients (laptops, androids, ...), butthis has become problem with ios-devices, since they upgraded automically from appstore, since appstore upgraded their version to 2.1. Anybody knows if this is a general problem.Has the new globalprotect client a requirement of > panos 6.0.3 ?

Error message : Gateway external_gateway_2: Server certificate verification failed

from logs tested with 64 bit laptop win7 :

(T99064) 10/11/14 13:32:30:934 Error(2147): Failed to verify server certificate of gateway xxxxxxxxxxxx.

(T99064) 10/11/14 13:32:30:934 Error(1520): Failed to retrieve info for gateway xxxxxxxxx.

(T99064) 10/11/14 13:32:30:934 Error(2350): NetworkDiscoverThread: failed to discover external network.

greetz


Accepted Solutions
Highlighted
L5 Sessionator

Re: Since upgrade globalprotect 2.1 certificate problems

Hi Johan,

Can you confirm if the Gateway's ip address is fqdn or IP address under External Gateways? If its IP address can you change it to FQDN, commit and try again? Thank you.

View solution in original post


All Replies
Highlighted
L5 Sessionator

Re: Since upgrade globalprotect 2.1 certificate problems

Hi Johan,

Can you confirm if the Gateway's ip address is fqdn or IP address under External Gateways? If its IP address can you change it to FQDN, commit and try again? Thank you.

View solution in original post

Highlighted
L2 Linker

Re: Since upgrade globalprotect 2.1 certificate problems

That was correct answer. I changed the gateway address now tothe url, which makes part of the wildcard certficate. It works now. What troubles me a bit, is that I still see in the logging of the gp client : "

(T92424) 10/11/14 16:40:16:525 Info ( 107): Failed to verify server cert. Result is self signed certificate in certificate chain

(T92424) 10/11/14 16:40:16:525 Info ( 126): SSL_get_verify_result() failed: (null)

Any idea about this ?

greetz,

Johan

Highlighted
L6 Presenter

Re: Since upgrade globalprotect 2.1 certificate problems

Hi Joan,

I had similar issue with GP 2.1.0.

I was suggested that CN of gateway certificate has to be same as gateway name provided by Portal.

Try this change, it should work.

Regards,

Hardik Shah

Highlighted
L6 Presenter

Re: Since upgrade globalprotect 2.1 certificate problems

Hi Joahn,

As of now end client doesnt trust the root CA which signed "GP Certificate".

Which means you are supposed to install root certificate.

Regards,

Hardik Shah

Highlighted
L2 Linker

Re: Since upgrade globalprotect 2.1 certificate problems

Doesnt work

I suppose it is not the cn of the name you give in the PA. I tried to give the gateway name the same as the name of the certificate . Still the same result

greetz,

Johan

Highlighted
L6 Presenter

Re: Since upgrade globalprotect 2.1 certificate problems

Hi Johan,

Make sense...Did you install root certificate on GP client ?

Regards,

Hardik shah

Highlighted
L2 Linker

Re: Since upgrade globalprotect 2.1 certificate problems

Hi there,

I'm getting the same error with GP 2.1 on Windows 8.1 , actually I always have big trouble with windows machines.
it works perfect on Android, Apple, but Windows takes me hours and not working every time. I do huge hit and miss config every time.

Can somebody explain how to configure this please?

I bought the domain.

I generated new CSR and signed it by the Trusted CA (VeriSign)

I imported the cert and I see the certs "merged" and have the FQDN name of a cert with "private key"

I select the cert for Server Cert

I connect to the gateway and get the same error as everybody in this post.

Can not select continue.

I use FQDN for Cert name, Portal address, and in GP client to connect.

Do I still need to export the cert and import to the windows client root folder? if so , why ?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!