User-ID Agent - Failed to validate client certificate

Announcements
Attention: The LIVEcommunity is experiencing an interruption with videos in some areas. We apologize for any inconvenience this may cause. Thank you for your patience as we work towards a solution to restore videos.
Reply
Highlighted

User-ID Agent - Failed to validate client certificate

Hi,

 

I am running a v6.0 Palo virtual firewall and trying to connect to a user-id agent on a Windows 2k8r2 server. I am running version 8.0.4-5 of the UID agent.

 

I have configured as per all documentation however I am getting the following log messages popping up in the agent software:

 

Failed to validate client certificate, thread : 1, 1-0!

 

If I check the logs on the firewall itself I have following log messages popping up every 5 seconds:

 

pan_ssl_conn_open(pan_ssl_utils.c:464): Error: Failed to Connect to 192.168.5.100(source: 192.168.5.11), SSL error: error:00000000:lib(0):func(0):reason(0)(5)

 

I am truly at my wits end, cannot seem to find anything useful about this online and not sure how to troubleshoot this.

 

Does anyone have any suggestions?

 

Thanks,


Accepted Solutions
Highlighted
Community Team Member

Re: User-ID Agent - Failed to validate client certificate

Hi @luke.lloyd-jones,

 

I have not tested versions that far apart but will this even work ?

Just asking because the UID agent release notes say it'll only work with supported releases :

 

The User‐ID agent is compatible with PAN‐OS 8.0 and earlier PAN‐OS releases that are still supported by Palo Alto Networks.

 

That said, PAN-OS 6.0 was end-of-life March 19, 2017.

 

It might work if you fix the certs as mentioned earlier but I'd go and upgrade to a supported version.

 

Cheers,

-Kiwi.

 

 

View solution in original post


All Replies
Highlighted
L2 Linker

Re: User-ID Agent - Failed to validate client certificate

Do you have an SSL/TSL profile?

 

There's a cert issue for sure with the SSL connection. So either the agent or the firewall are using out of date certs or some other mismatch. 

****************************************************
ACE 7.0, PCNSE7
Highlighted
Community Team Member

Re: User-ID Agent - Failed to validate client certificate

Hi @luke.lloyd-jones,

 

I have not tested versions that far apart but will this even work ?

Just asking because the UID agent release notes say it'll only work with supported releases :

 

The User‐ID agent is compatible with PAN‐OS 8.0 and earlier PAN‐OS releases that are still supported by Palo Alto Networks.

 

That said, PAN-OS 6.0 was end-of-life March 19, 2017.

 

It might work if you fix the certs as mentioned earlier but I'd go and upgrade to a supported version.

 

Cheers,

-Kiwi.

 

 

View solution in original post

Highlighted

Re: User-ID Agent - Failed to validate client certificate

Thanks for the tip, I thought those two would be compatible but turns out not. I actually just removed my v8 UID agent and installed the v6 version (had to remove the service first though with a "sc delete "UserIDService" command, super annoying) and all working now.

Highlighted
L2 Linker

Re: User-ID Agent - Failed to validate client certificate

I'm using PAN-OS 6.1 and have the same problem. Unfortuntely I have to use the latest version because this is the only version supported on my 2016 DC.

 

Certificates should be fine on both sides. Is there any other thing I can check?

Is it possible to disable the certificate check in User-ID Agent 8.0.4?

Highlighted
L2 Linker

Re: User-ID Agent - Failed to validate client certificate

This was a bug. Fixed with User-ID Agent 8.0.5!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!