This past week we have experienced this issue where users are unable to connect to GlobalProtect. This is happening at random and on multiple firewalls with version 9.1.11-h3, GlobalProtect client version is: 5.2.3
Looking at the logs this is what it shows under Monitor -> GlobalProtect
Strangely enough, the certificate IS installed on the client. The client certificate is valid as well as the root CA's.
Any pointers will be greatly appreciated.
I've ran into this on a few different occasions throughout various PAN-OS releases and restarting the sslvpn-web-server process fixed the issue. Just know that this will momentary disrupt GlobalProtect, so generally speaking a failover would be preferred under an Active/Passive scenario in some situations.
Also just as a reminder, 5.2.3 is kind of dated at this point. I would recommend validating a newer agent build and rolling it out. There's quite a few issues that have been addressed since 5.2.3 that you wouldn't have.
I'm pretty sure that you're having this problem because of bug PAN-163030. Let's check it out on the release notes of 9.1.x or 10.0.x. I've recreated this problem and the Workaround was restart the sslvpn-web-server process. This is fixed on 10.0.9 but I haven't upgraded to that version yet.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!