For details on cookie usage on our site, read our Privacy Policy
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
VPN client certificates rejected until firewall reboot
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- VPN client certificates rejected until firewall reboot
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
06-29-2021 01:24 PM
I had to reboot my firewall this morning because it erroneously rejected client certificates required by a VPN.
Firewall system logs show critical event "Out of memory condition detected, kill process 3" at 4:06am
I had the exact same issue on May 5th as well (and reporting to PA) where Clients getting VPN certificate errors despite being nowhere near expiration and reinstalling certifications
Is anyone aware of a fix?
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
06-29-2021 03:12 PM
I also have seen this issue. Clients were not able to connect and they were presented with a message that a valid certificste is required. I also saw the out of memory logs. After that I installed PAN-OS 9.1.10 which has quite a few fixes for something that could result in this problem. So far the error did not happen again.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
06-29-2021 02:11 PM
I've ran into this a few times with 10.0 throughout various releases and haven't gotten an actual direct answer from support. I'd keep reporting it, because it's definitely a bug somewhere that they just don't appear to have enough data to track down yet.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
06-29-2021 03:12 PM
I also have seen this issue. Clients were not able to connect and they were presented with a message that a valid certificste is required. I also saw the out of memory logs. After that I installed PAN-OS 9.1.10 which has quite a few fixes for something that could result in this problem. So far the error did not happen again.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
06-29-2021 03:18 PM
Are either of you running in HA Pair? I am wondering whether or not that might mitigate the issue in active-passive and/or active-active until there is a bug fix. Both times this issue occurred early morning, and fortunately only two people were in the office by then.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
06-29-2021 03:25 PM
I had the issue in a HA pair (active-passive). Actually we have more than 10 other firewall HA pairs where we use global protect, but so far (luckily) the issue only happened on one of them ...
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
06-29-2021 03:29 PM
Got it. So the passive firewall took over while you rebooted the problematic active firewall, and users didn't have downtime during the reboot. Is that correct? How much time did it take to configure active-passive mode for the first time?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
06-29-2021 04:24 PM
As long as you immediately reboot the firewall after the OOM systemlog, then yes you will be able to reduce the downtime to almost 0. Otherwise there will still be a timeframe where users are not able to connect.
Setting up a HA pair on the firewallside is quite easy to do. The walkthrough with a step by step manual you can find here: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/set-up-activepassive-ha/...
Depending on thw network setup you need to change some things there too.
What PAN-OS version do you currently run on this firewall?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
06-29-2021 04:29 PM
9.1.9
I tried upgrading to 10.0 a couple of times last year, but found it too buggy at the time. Not sure if it stable enough to run production now, but I will likely wait at least a few more weeks before considering an upgrade.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
06-29-2021 04:31 PM
I think you should consider an update to 9.1.10. Maybe the situation gets also better for you and maybe the issue is already completely resolved in this version
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
06-29-2021 04:32 PM
Agreed. I'll likely try it this weekend
- Third party SSL cert for Global Protect in GlobalProtect Discussions
- Access to PA-200 Web GUI is Denied. in General Topics
- Best Practice for Root CA Self Signed Cert on NGFW in Next-Generation Firewall Discussions
- Unable to see all existing certificates on api configuration but on Firewall(GUI&CLI) in Panorama Discussions
- SSL certificate for passive firewall in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
