Global Protect users cant connect - certificate out of date

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect users cant connect - certificate out of date

L1 Bithead

Hello,

 

I have over 1000 users and just this week some users (maybe 10) have not been able to connect to Global Protect from home.  I worked out its because their ROOTCA has expired under Manage Certificates on their laptop.  Its been working for 2 years and every user seems to have different dates.  As far as i know the certificate server on-prem corporate network is supposed to update their certificate periodically.  It must have done this at some stage.  I am not getting much response from the server team who look after the certificate server and i know the Global Protect users have routing and a the relevant ports open to connect to the cert server.

 

When a user cant connect he has to drive to the office and connect to the LAN.  The the server team issue him a renewed certificate.  Then he can go home and connect in again no problems 

 

How do i prove the palo alto is not the problem

 

thanks, Kevin

1 accepted solution

Accepted Solutions

L1 Bithead

Thanks for the reply - i have got two users to go into site and the server team had to remote onto their laptop and do the following 

 

  • Start
  • Manage computer certificates
  • Personal
  • Root certificates
  • … issued by ROOTCA - click on the certificate and renew it 

Should this not be an automatic thing that happens once a year.  

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

@Kevin-OHare,

Ummm ... that actually sounds like a firewall problem to me. Short of something being very oddly configured in Group Policy, I can't see how this isn't an issue with communication between the GlobalProtect clients and your PKI hosts. Sadly you would need your server team to review Group Policy and the PKI server if you don't have access to either, but if its working when a client is on-site it should be working over the GlobalProtect connection. 

L1 Bithead

Thanks for the reply - i have got two users to go into site and the server team had to remote onto their laptop and do the following 

 

  • Start
  • Manage computer certificates
  • Personal
  • Root certificates
  • … issued by ROOTCA - click on the certificate and renew it 

Should this not be an automatic thing that happens once a year.  

  • 1 accepted solution
  • 2338 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!