08-29-2017 03:57 AM
Hi,
I am running a v6.0 Palo virtual firewall and trying to connect to a user-id agent on a Windows 2k8r2 server. I am running version 8.0.4-5 of the UID agent.
I have configured as per all documentation however I am getting the following log messages popping up in the agent software:
Failed to validate client certificate, thread : 1, 1-0!
If I check the logs on the firewall itself I have following log messages popping up every 5 seconds:
pan_ssl_conn_open(pan_ssl_utils.c:464): Error: Failed to Connect to 192.168.5.100(source: 192.168.5.11), SSL error: error:00000000:lib(0):func(0):reason(0)(5)
I am truly at my wits end, cannot seem to find anything useful about this online and not sure how to troubleshoot this.
Does anyone have any suggestions?
Thanks,
08-29-2017 07:53 AM
I have not tested versions that far apart but will this even work ?
Just asking because the UID agent release notes say it'll only work with supported releases :
The User‐ID agent is compatible with PAN‐OS 8.0 and earlier PAN‐OS releases that are still supported by Palo Alto Networks.
That said, PAN-OS 6.0 was end-of-life March 19, 2017.
It might work if you fix the certs as mentioned earlier but I'd go and upgrade to a supported version.
Cheers,
-Kiwi.
08-29-2017 07:34 AM - edited 08-29-2017 07:34 AM
Do you have an SSL/TSL profile?
There's a cert issue for sure with the SSL connection. So either the agent or the firewall are using out of date certs or some other mismatch.
08-29-2017 07:53 AM
I have not tested versions that far apart but will this even work ?
Just asking because the UID agent release notes say it'll only work with supported releases :
The User‐ID agent is compatible with PAN‐OS 8.0 and earlier PAN‐OS releases that are still supported by Palo Alto Networks.
That said, PAN-OS 6.0 was end-of-life March 19, 2017.
It might work if you fix the certs as mentioned earlier but I'd go and upgrade to a supported version.
Cheers,
-Kiwi.
09-05-2017 01:31 AM
Thanks for the tip, I thought those two would be compatible but turns out not. I actually just removed my v8 UID agent and installed the v6 version (had to remove the service first though with a "sc delete "UserIDService" command, super annoying) and all working now.
10-02-2017 06:59 AM
I'm using PAN-OS 6.1 and have the same problem. Unfortuntely I have to use the latest version because this is the only version supported on my 2016 DC.
Certificates should be fine on both sides. Is there any other thing I can check?
Is it possible to disable the certificate check in User-ID Agent 8.0.4?
11-17-2017 07:07 AM
This was a bug. Fixed with User-ID Agent 8.0.5!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
