We experiencing a problem with the new version of Global Protect 2.1.We have PA 6.0.3. We use a 3th party as authenticaton manager. The problem appears with the certificate of the gateway : we use forthis certificate a wildcard signed certificate. All the gp clients upgraded to this version receive the following error : Gateway external_gateway_2: Server certificate verification failed. With version 2.0.x , this problem didnt arrive. This is no problem with all clients (laptops, androids, ...), butthis has become problem with ios-devices, since they upgraded automically from appstore, since appstore upgraded their version to 2.1. Anybody knows if this is a general problem.Has the new globalprotect client a requirement of > panos 6.0.3 ?
Error message : Gateway external_gateway_2: Server certificate verification failed
from logs tested with 64 bit laptop win7 :
(T99064) 10/11/14 13:32:30:934 Error(2147): Failed to verify server certificate of gateway xxxxxxxxxxxx.
(T99064) 10/11/14 13:32:30:934 Error(1520): Failed to retrieve info for gateway xxxxxxxxx.
(T99064) 10/11/14 13:32:30:934 Error(2350): NetworkDiscoverThread: failed to discover external network.
Solved! Go to Solution.
That was correct answer. I changed the gateway address now tothe url, which makes part of the wildcard certficate. It works now. What troubles me a bit, is that I still see in the logging of the gp client : "
(T92424) 10/11/14 16:40:16:525 Info ( 107): Failed to verify server cert. Result is self signed certificate in certificate chain
(T92424) 10/11/14 16:40:16:525 Info ( 126): SSL_get_verify_result() failed: (null)
Any idea about this ?
I had similar issue with GP 2.1.0.
I was suggested that CN of gateway certificate has to be same as gateway name provided by Portal.
Try this change, it should work.
As of now end client doesnt trust the root CA which signed "GP Certificate".
Which means you are supposed to install root certificate.
I suppose it is not the cn of the name you give in the PA. I tried to give the gateway name the same as the name of the certificate . Still the same result
I'm getting the same error with GP 2.1 on Windows 8.1 , actually I always have big trouble with windows machines.
it works perfect on Android, Apple, but Windows takes me hours and not working every time. I do huge hit and miss config every time.
Can somebody explain how to configure this please?
I bought the domain.
I generated new CSR and signed it by the Trusted CA (VeriSign)
I imported the cert and I see the certs "merged" and have the FQDN name of a cert with "private key"
I select the cert for Server Cert
I connect to the gateway and get the same error as everybody in this post.
Can not select continue.
I use FQDN for Cert name, Portal address, and in GP client to connect.
Do I still need to export the cert and import to the windows client root folder? if so , why ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!