05-07-2011 02:35 PM
Hello,
I have a Problem with my PA-500 (4.0.2). I'm unable to see the Webserver Login Page for the SSL-VPN. I get the SSL Certificate Security Warning and then the Browser hungs up on loading (Waiting for IP-ADDRESS) and nothing happens.
I already disabled the Clientcertificate, Changes the Server-Certificate and changed the Authentication Profile, but the Problem exists. Also I reinstalled the OS
If I execute the command "tail webserver-log sslvpn-error.log" on the CLI I get the following Log:
default:2 main --------------------------------------------
default:0 main In mprPanEspInit()
default:0 main In PanEspModule()
default:0 main In mprPanSSLVPNInit()
default:0 main In PanSSLVPNModule()
default:1 main Error: Can't access DocumentRoot directory
default:1 main Error: Ignoring bad directive "DocumentRoot" at line 181 in /etc/appweb/sslvpn.conf
Could you please explain me the Lastline?
Regards,
Markus
05-09-2011 04:49 AM
Hi Markus
This can sometimes be related to a misconfiguration in captive portal, are you using CP and if so: have you set source and destination zones correctly? (any-any will cause this)
05-09-2011 02:06 PM
Hi,
yes CP was enabled. i disabled the CP Rule and disabled also the User Auth Rule, but the error is already there. on my external interface i'm not be able to see the webserver. it looks like a binding problem. in the l3svc-error.log are the following lines:
default:2 main Configuration for PanWeb Server
default:2 main --------------------------------------------
default:2 main Host: CTINFPA01
default:2 main CPU: mips64
default:2 main OS: LINUX
default:2 main Distribution: unknown Unknown
default:2 main OS: LINUX
default:2 main Version: 2.4.0.0
default:2 main BuildType: RELEASE
default:2 main Started at: Mon May 9 22:55:39 2011
default:2 main Log rotation count: 0
default:2 main --------------------------------------------
default:0 main In mprPanEspInit()
default:0 main In PanEspModule()
default:0 main In mprPanMgmtInit()
default:0 main In PanMgmtModule()
default:0 main SSL: Need to get private key for /webserver from cryptod
default:0 main SSL: Try# 1 to get key for web_certificate_key from cryptod
default:0 main pclose returned 0 with errno 0 which is an error
default:0 main Got key for web_certificate_key from cryptod
I hope this could help to find the problem
regards,
markus
05-09-2011 04:23 PM
psi0n wrote:
Hi,
yes CP was enabled. i disabled the CP Rule and disabled also the User Auth Rule, but the error is already there. on my external interface i'm not be able to see the webserver. it looks like a binding problem. in the l3svc-error.log are the following lines:
default:2 main Configuration for PanWeb Server
default:2 main --------------------------------------------
default:2 main Host: CTINFPA01
default:2 main CPU: mips64
default:2 main OS: LINUX
default:2 main Distribution: unknown Unknown
default:2 main OS: LINUX
default:2 main Version: 2.4.0.0
default:2 main BuildType: RELEASE
default:2 main Started at: Mon May 9 22:55:39 2011
default:2 main Log rotation count: 0
default:2 main --------------------------------------------
default:0 main In mprPanEspInit()
default:0 main In PanEspModule()
default:0 main In mprPanMgmtInit()
default:0 main In PanMgmtModule()
default:0 main SSL: Need to get private key for /webserver from cryptod
default:0 main SSL: Try# 1 to get key for web_certificate_key from cryptod
default:0 main pclose returned 0 with errno 0 which is an error
default:0 main Got key for web_certificate_key from cryptodI hope this could help to find the problem
regards,
markus
Did you either generate a self-signed SSL key or import a matching key for the hsotname from a valid external certificate authority for the VPN?
Sounds like you simply don;t have an SSL key bound to the VPN properly. Under the SSL VPN configuration, do you have a certificate selected?
Cheers.
05-09-2011 09:34 PM
Hi,
i generate a sel-signed certificate for the hostname with a validity since 2020. i also bound the certificate to the ssl-vpn under
NETWORK -- SSL-VPN -- <NAME_OF_VPN> -- Server Certificate, but nothing happens. the workaound to generate an new cert and bind it to the vpn did not get the success.
05-10-2011 08:02 AM
@computop:
based upon your description of the configuration it sounds like you have done the setup correctly.
Perhaps you can share a screenshot of your Device -> Certificates page. That may show us a vital clue.
A screenshot of your ssl-vpn configuration screen might also be helpful.
-Benjamin
05-12-2011 12:36 PM
Hi,
I could resolve the Problem. There was an error in my config. I bind the tunnel interface and the local interface to the external zone. after i created a new zone "vpn_clients" and conncted the tunnel interface with it, the webinterface comes back. Now I can login and everything is fine!
thanks for your assistance!
- Markus -
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
