ssl-vpn unable to login

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ssl-vpn unable to login

L1 Bithead

Hello,

I have a Problem with my PA-500 (4.0.2). I'm unable to see the Webserver Login Page for the SSL-VPN. I get the SSL Certificate Security Warning and then the Browser hungs up on loading (Waiting for IP-ADDRESS) and nothing happens.

I already disabled the Clientcertificate, Changes the Server-Certificate and changed the Authentication Profile, but the Problem exists. Also I reinstalled the OS

If I execute the command "tail webserver-log sslvpn-error.log" on the CLI I get the following Log:

   default:2 main  --------------------------------------------
   default:0 main  In mprPanEspInit()
   default:0 main  In PanEspModule()
   default:0 main  In mprPanSSLVPNInit()
   default:0 main  In PanSSLVPNModule()
   default:1 main  Error: Can't access DocumentRoot directory
   default:1 main  Error: Ignoring bad directive "DocumentRoot" at line 181 in /etc/appweb/sslvpn.conf

Could you please explain me the Lastline?

Regards,

Markus

6 REPLIES 6

Cyber Elite
Cyber Elite

Hi Markus

This can sometimes be related to a misconfiguration in captive portal, are you using CP and if so: have you set source and destination zones correctly? (any-any will cause this)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi,

yes CP was enabled. i disabled the CP Rule and disabled also the User Auth Rule, but the error is already there. on my external interface i'm not be able to see the webserver. it looks like a binding problem. in the l3svc-error.log are the following lines:

default:2 main  Configuration for PanWeb Server
   default:2 main  --------------------------------------------
   default:2 main  Host:               CTINFPA01
   default:2 main  CPU:                mips64
   default:2 main  OS:                 LINUX
   default:2 main  Distribution:       unknown Unknown
   default:2 main  OS:                 LINUX
   default:2 main  Version:            2.4.0.0
   default:2 main  BuildType:          RELEASE
   default:2 main  Started at:         Mon May  9 22:55:39 2011
   default:2 main  Log rotation count: 0
   default:2 main  --------------------------------------------
   default:0 main  In mprPanEspInit()
   default:0 main  In PanEspModule()
   default:0 main  In mprPanMgmtInit()
   default:0 main  In PanMgmtModule()
   default:0 main  SSL: Need to get private key for /webserver from cryptod
   default:0 main  SSL: Try# 1 to get key for web_certificate_key from cryptod
   default:0 main  pclose returned 0 with errno 0 which is an error
   default:0 main  Got key for web_certificate_key from cryptod

I hope this could help to find the problem

regards,

markus

psi0n wrote:

Hi,

yes CP was enabled. i disabled the CP Rule and disabled also the User Auth Rule, but the error is already there. on my external interface i'm not be able to see the webserver. it looks like a binding problem. in the l3svc-error.log are the following lines:

default:2 main  Configuration for PanWeb Server
   default:2 main  --------------------------------------------
   default:2 main  Host:               CTINFPA01
   default:2 main  CPU:                mips64
   default:2 main  OS:                 LINUX
   default:2 main  Distribution:       unknown Unknown
   default:2 main  OS:                 LINUX
   default:2 main  Version:            2.4.0.0
   default:2 main  BuildType:          RELEASE
   default:2 main  Started at:         Mon May  9 22:55:39 2011
   default:2 main  Log rotation count: 0
   default:2 main  --------------------------------------------
   default:0 main  In mprPanEspInit()
   default:0 main  In PanEspModule()
   default:0 main  In mprPanMgmtInit()
   default:0 main  In PanMgmtModule()
   default:0 main  SSL: Need to get private key for /webserver from cryptod
   default:0 main  SSL: Try# 1 to get key for web_certificate_key from cryptod
   default:0 main  pclose returned 0 with errno 0 which is an error
   default:0 main  Got key for web_certificate_key from cryptod

I hope this could help to find the problem

regards,

markus

Did you either generate a self-signed SSL key or import a matching key for the hsotname from a valid external certificate authority for the VPN?

Sounds like you simply don;t have an SSL key bound to the VPN properly. Under the SSL VPN configuration, do you have a certificate selected?

Cheers.

Hi,

i generate a sel-signed certificate for the hostname with a validity since 2020. i also bound the certificate to the ssl-vpn under

NETWORK -- SSL-VPN -- <NAME_OF_VPN> -- Server Certificate, but nothing happens. the workaound to generate an new cert and bind it to the vpn did not get the success.

@computop:

based upon your description of the configuration it sounds like you have done the setup correctly.

Perhaps you can share a screenshot of your Device -> Certificates page. That may show us a vital clue.

A screenshot of your ssl-vpn configuration screen might also be helpful.

-Benjamin

L1 Bithead

Hi,

I could resolve the Problem. There was an error in my config. I bind the tunnel interface and the local interface to the external zone. after i created a new zone "vpn_clients" and conncted the tunnel interface with it, the webinterface comes back. Now I can login and everything is fine!

thanks for your assistance!

- Markus -

  • 4301 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!