- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-05-2024 03:02 PM
Hello Team
We recently upgraded to 9.1.16-h3 on Dec 15th and we started having issues with Global Protect where users are not able to authenticate using the certificate. We have checked and made sure that the correct with its private key is present in the User's Personal Cert Store and has the correct "subject" in the certificate as well.
We know the cert is correct as we are using the same cert to connect with two other portals on different Palo Firewalls that we have with similar configuration and having the Same Root CA certs.
Strange part is, some users on the same portal can connect and disconnect without any issues but a few users are having this problem. Everyone uses same GP CLient version:5.2.12-26 which is able to connect with 2 portals using same cert but fails to connect with the portal in question.
We have checked "appweb3-sslvpn" log file and can see errors:
2024-01-05 08:14:57.565 +0000 Error: panSslVpnClientCert_check_hmac(sslvpnHandler.c:402): clientcert-info.sslvpn check failed! ts is out of range! now (1704442497) ts(1704442563) diff (-66)
2024-01-05 08:14:57.575 +0000 Error: panGlobalProtectPreLogin(panPhpGlobalProtect.c:1992): panGlobalProtectPreLogin error: cert_present: no [Fri Jan 5 08:14:57 2024] Script:
PANGPA shows:
(P13644-T9888)Debug(5134): 01/04/24 22:33:22:907 we get cert error, so remove previousCertificate
(P13644-T9888)Debug(4757): 01/04/24 22:33:22:908 client certificate error found: Client cert usage check failed
Error(2290): 01/04/24 22:33:23:686 error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED
The users gets the following error message:
A valid client certificate is required for authentication. If the issue persists, contact your administrator
As stated above we have already verified that users have the right cert as they were able to login to two other portals without any issues. Some users are still able to get in using the same GP client but the issue we are seeing are for some users. We have already tried to delete the cert from Personal stores and imported again with private key but it did not help.
No cores found related to any process. Already tried restarting the process appweb3-sslvpn to no help.
Any help would be appreciated thanks.
01-07-2024 05:54 PM
It has to be something wrong somewhere as this error does not come for a reason.
Please check the Certs on PC and and Config on PA
Regards
01-08-2024 05:23 AM
@MP18 This issue was really strange as client were using the same cert to get authenticated with 2 other portals on a different PA without any issues - same root CA.
We had the firewall rebooted and this resolved the issue. Clients are note getting a cert error anymore while trying to login to GP portal.
01-08-2024 07:16 AM
That is weird so you have setup with multiple gateways on different firewalls?
Regards
01-08-2024 07:31 AM
Different Firewalls, having different portal which uses same Root CA and client authenticate using the same Client certs.
The issue was happening for some users even though they had the right client cert as in my above post and other users were able to login correctly using the same GP client. Also we did not see any other issues if the users were trying to access any different portals on different firewall.
I see this https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCl0CAG&lang=en_US%E2%80%A...
But ofcourse we are on 9.1.16-h3 and we also did not see any spikes in "mgmt ntpd" but yes just a reboot resolved our issue.
01-08-2024 08:05 AM
So we have currently one portal and gateway on PA in HA mode.
I am going to add second portal in coming weeks on different PA in Active passive mode.
So for end user if there PC has two Portal addresses whichever answers first GP client will connect to it.
I am adding Second portal and gateway where if we have any issues while upgrading the PAN OS on one pair of firewalls then users can connect to the second portal.
Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!