User-ID Agent - Failed to validate client certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User-ID Agent - Failed to validate client certificate

Hi,

 

I am running a v6.0 Palo virtual firewall and trying to connect to a user-id agent on a Windows 2k8r2 server. I am running version 8.0.4-5 of the UID agent.

 

I have configured as per all documentation however I am getting the following log messages popping up in the agent software:

 

Failed to validate client certificate, thread : 1, 1-0!

 

If I check the logs on the firewall itself I have following log messages popping up every 5 seconds:

 

pan_ssl_conn_open(pan_ssl_utils.c:464): Error: Failed to Connect to 192.168.5.100(source: 192.168.5.11), SSL error: error:00000000:lib(0):func(0):reason(0)(5)

 

I am truly at my wits end, cannot seem to find anything useful about this online and not sure how to troubleshoot this.

 

Does anyone have any suggestions?

 

Thanks,

1 accepted solution

Accepted Solutions

Community Team Member

Hi @luke.lloyd-jones,

 

I have not tested versions that far apart but will this even work ?

Just asking because the UID agent release notes say it'll only work with supported releases :

 

The User‐ID agent is compatible with PAN‐OS 8.0 and earlier PAN‐OS releases that are still supported by Palo Alto Networks.

 

That said, PAN-OS 6.0 was end-of-life March 19, 2017.

 

It might work if you fix the certs as mentioned earlier but I'd go and upgrade to a supported version.

 

Cheers,

-Kiwi.

 

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

5 REPLIES 5

L2 Linker

Do you have an SSL/TSL profile?

 

There's a cert issue for sure with the SSL connection. So either the agent or the firewall are using out of date certs or some other mismatch. 

****************************************************
ACE 7.0, PCNSE7

Community Team Member

Hi @luke.lloyd-jones,

 

I have not tested versions that far apart but will this even work ?

Just asking because the UID agent release notes say it'll only work with supported releases :

 

The User‐ID agent is compatible with PAN‐OS 8.0 and earlier PAN‐OS releases that are still supported by Palo Alto Networks.

 

That said, PAN-OS 6.0 was end-of-life March 19, 2017.

 

It might work if you fix the certs as mentioned earlier but I'd go and upgrade to a supported version.

 

Cheers,

-Kiwi.

 

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thanks for the tip, I thought those two would be compatible but turns out not. I actually just removed my v8 UID agent and installed the v6 version (had to remove the service first though with a "sc delete "UserIDService" command, super annoying) and all working now.

I'm using PAN-OS 6.1 and have the same problem. Unfortuntely I have to use the latest version because this is the only version supported on my 2016 DC.

 

Certificates should be fine on both sides. Is there any other thing I can check?

Is it possible to disable the certificate check in User-ID Agent 8.0.4?

This was a bug. Fixed with User-ID Agent 8.0.5!

  • 1 accepted solution
  • 15654 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!