Since upgrade globalprotect 2.1 certificate problems

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Since upgrade globalprotect 2.1 certificate problems

L2 Linker

Hi all,

We experiencing a problem with the new version of Global Protect 2.1.We have PA 6.0.3. We use a 3th party as authenticaton manager. The problem appears with the certificate of the gateway : we use forthis certificate a wildcard signed certificate. All the gp clients upgraded to this version receive the following error : Gateway external_gateway_2: Server certificate verification failed. With version 2.0.x , this problem didnt arrive. This is no problem with all clients (laptops, androids, ...), butthis has become problem with ios-devices, since they upgraded automically from appstore, since appstore upgraded their version to 2.1. Anybody knows if this is a general problem.Has the new globalprotect client a requirement of > panos 6.0.3 ?

Error message : Gateway external_gateway_2: Server certificate verification failed

from logs tested with 64 bit laptop win7 :

(T99064) 10/11/14 13:32:30:934 Error(2147): Failed to verify server certificate of gateway xxxxxxxxxxxx.

(T99064) 10/11/14 13:32:30:934 Error(1520): Failed to retrieve info for gateway xxxxxxxxx.

(T99064) 10/11/14 13:32:30:934 Error(2350): NetworkDiscoverThread: failed to discover external network.

greetz

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi Johan,

Can you confirm if the Gateway's ip address is fqdn or IP address under External Gateways? If its IP address can you change it to FQDN, commit and try again? Thank you.

View solution in original post

7 REPLIES 7

L5 Sessionator

Hi Johan,

Can you confirm if the Gateway's ip address is fqdn or IP address under External Gateways? If its IP address can you change it to FQDN, commit and try again? Thank you.

That was correct answer. I changed the gateway address now tothe url, which makes part of the wildcard certficate. It works now. What troubles me a bit, is that I still see in the logging of the gp client : "

(T92424) 10/11/14 16:40:16:525 Info ( 107): Failed to verify server cert. Result is self signed certificate in certificate chain

(T92424) 10/11/14 16:40:16:525 Info ( 126): SSL_get_verify_result() failed: (null)

Any idea about this ?

greetz,

Johan

L6 Presenter

Hi Joan,

I had similar issue with GP 2.1.0.

I was suggested that CN of gateway certificate has to be same as gateway name provided by Portal.

Try this change, it should work.

Regards,

Hardik Shah

Hi Joahn,

As of now end client doesnt trust the root CA which signed "GP Certificate".

Which means you are supposed to install root certificate.

Regards,

Hardik Shah

Doesnt work

I suppose it is not the cn of the name you give in the PA. I tried to give the gateway name the same as the name of the certificate . Still the same result

greetz,

Johan

Hi Johan,

Make sense...Did you install root certificate on GP client ?

Regards,

Hardik shah

Hi there,

I'm getting the same error with GP 2.1 on Windows 8.1 , actually I always have big trouble with windows machines.
it works perfect on Android, Apple, but Windows takes me hours and not working every time. I do huge hit and miss config every time.

Can somebody explain how to configure this please?

I bought the domain.

I generated new CSR and signed it by the Trusted CA (VeriSign)

I imported the cert and I see the certs "merged" and have the FQDN name of a cert with "private key"

I select the cert for Server Cert

I connect to the gateway and get the same error as everybody in this post.

Can not select continue.

I use FQDN for Cert name, Portal address, and in GP client to connect.

Do I still need to export the cert and import to the windows client root folder? if so , why ?

  • 1 accepted solution
  • 5250 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!