GlobalProtect Required client certificate not found - Export-Import certificate(s)
cancel
Showing results for 
Search instead for 
Did you mean: 

GlobalProtect Required client certificate not found - Export-Import certificate(s)

L1 Bithead

Windows 10 (1909)

 

GlobalProtect stopped working with error message "ConnectionFailed: Required client certificate not found".

 

Our IT Administrator is unable to solve it, sorry.

 

Please help.

I have another Windows 10 laptop, that have certificates and GlobalProtect works fine.

9 REPLIES 9

L1 Bithead

Dump

 

02/08/21 10:25:42:262 CaptivePortalDetectionThread: IsDetectingCaptivePortal=0, PreLoginIsDone=1
(T15364)Debug(5016): 02/08/21 10:25:42:262 CaptivePortalDetectionThread: wait (-1 ms) for captive portal detection event.
(T15632)Info ( 502): 02/08/21 10:26:06:975 msgtype = setdebug
(T15632)Info (1640): 02/08/21 10:26:06:975 Setting debug level to 6
(T15632)Dump (11128): 02/08/21 10:26:06:975 Set m_bPreviousSwitchOffMsg to 0
(T15628)Debug(2381): 02/08/21 10:26:06:975 Setting debug level to 6
(T15632)Dump ( 312): 02/08/21 10:26:10:899 Recv len is 1008
(T15632)Info ( 502): 02/08/21 10:26:10:899 msgtype = portal
(T15632)Debug(2234): 02/08/21 10:26:10:899 ----portal processing starts----
(T15632)Debug(2262): 02/08/21 10:26:10:899 User profile type is 0(not roaming)
(T15632)Debug(2295): 02/08/21 10:26:10:899 pg, source = 0, old source is 0
(T15632)Debug(2317): 02/08/21 10:26:10:899 pg, preferred gateway not set in message, old prefergateway=:)
(T15632)Dump (2370): 02/08/21 10:26:10:899 checkupdate tag exists with value no
(T15632)Debug(2374): 02/08/21 10:26:10:899 CheckUpdate is false.
)(T15632)Debug(2389): 02/08/21 10:26:10:899 portal-certificate-verification is yes
(T15632)Dump (2399): 02/08/21 10:26:10:899 m_bVerifyPortalCertificate and m_bAdditionalCheck are true.
)(T15632)Debug(2429): 02/08/21 10:26:10:899 No saml-load-cache tag.
(T15632)Debug(2452): 02/08/21 10:26:10:899 no saml-auth-error tag.
(T15632)Debug(2465): 02/08/21 10:26:10:899 allow-cached-portal is yes
(T15632)Dump (2504): 02/08/21 10:26:10:899 This portal message is not from prelogon thread
(T15632)Debug(2509): 02/08/21 10:26:10:899 NewWinUser is MINDLINM, WinUser is , PreviousSwitchOffMsg is false
(T15632)Debug(2510): 02/08/21 10:26:10:899 GetPrelogonStatus() 0, m_userName ___empty_username___, m_preUsername
(T15632)Debug(3268): 02/08/21 10:26:10:899 Grace period is 0
(T15632)Debug(6522): 02/08/21 10:26:10:899 StopThreads starts:
(T15632)Debug(6529): 02/08/21 10:26:10:899 There are 5 threads running...
(T16228)Debug(5852): 02/08/21 10:26:10:899 HipReportThread: got exit event.
(T15632)Debug(1384): 02/08/21 10:26:10:899 Logging out gateway, reason is StopThreads
(T16228)Debug(6151): 02/08/21 10:26:10:899 HipReportThread: HipReportThread quits.
(T15632)Debug(1423): 02/08/21 10:26:10:899 Logging out gateway over
(T10160)Debug(6293): 02/08/21 10:26:10:899 NetworkConnectionMonitorThread: got exit event.
(T15632)Debug(6539): 02/08/21 10:26:10:899 Going to wait all threads exit...
(T16204)Debug(5268): 02/08/21 10:26:10:899 NetworkDiscoverThread: got exit event.
(T3456)Debug(4818): 02/08/21 10:26:10:899 NotificationTimerThread: got exit event.
(T16204)Debug(5719): 02/08/21 10:26:10:899 NetworkDiscoverThread: quits.
(T10160)Debug(6308): 02/08/21 10:26:10:899 NetworkConnectionMonitorThread: quits.
(T15364)Debug(5019): 02/08/21 10:26:10:899 CaptivePortalDetectionThread: got exit event.
(T15364)Debug(5183): 02/08/21 10:26:10:899 CaptivePortalDetectionThread: captive portal detection thread exit status is (failed).
(T15632)Debug(6543): 02/08/21 10:26:11:008 threads are gracefully stopped, counter=599.
(T15632)Debug(6556): 02/08/21 10:26:11:008 Double check all threads.
(T15632)Debug(6602): 02/08/21 10:26:11:008 To reset thread quit event.
(T15852)Debug( 435): 02/08/21 10:26:11:008 HipMissingPatchThread: got thread exit event.
(T2488)Debug( 242): 02/08/21 10:26:11:008 HipCheckThread: got thread exit event.
(T14148)Debug( 418): 02/08/21 10:26:11:008 HipMonitor gets quit event.
(T14148)Debug( 435): 02/08/21 10:26:11:008 Unregister -- WscUnRegisterChanges
(T14148)Debug( 763): 02/08/21 10:26:11:024 HipMonitorThread quits.
(T2488)Debug( 287): 02/08/21 10:26:11:024 HipCheckThread: Hip check thread quits.
(T15852)Debug( 533): 02/08/21 10:26:11:039 HipMissingPatchThread: Hip check missiing patch thread quits.
(T15632)Debug( 132): 02/08/21 10:26:11:039 All hip collect threads quit gracefully.
(T15632)Debug(6612): 02/08/21 10:26:11:039 StopThreads ends.
(T15632)Dump (2526): 02/08/21 10:26:11:039 Clear lastErrStr
(T15632)Dump (4358): 02/08/21 10:26:11:039 Set registry LastErrorString as
(T15632)Debug(6486): 02/08/21 10:26:11:039 StartThreads starts:
(T15628)Debug(2381): 02/08/21 10:26:11:039 Setting debug level to 6
(T15632)Debug( 25): 02/08/21 10:26:11:039 create thread 0x6d8 with thread ID 13716
(T13716)Debug(4661): 02/08/21 10:26:11:039 NotificationTimerThread: notification timer thread starts.
(T13716)Debug(4811): 02/08/21 10:26:11:039 NotificationTimerThread: wait (-1 ms) for notification timer event.
(T15632)Debug( 25): 02/08/21 10:26:11:039 create thread 0x6e0 with thread ID 11188
(T11188)Debug(4857): 02/08/21 10:26:11:039 CaptivePortalDetectionThread: captive portal detection thread starts.
(T11188)Debug(5016): 02/08/21 10:26:11:039 CaptivePortalDetectionThread: wait (-1 ms) for captive portal detection event.
(T15632)Debug( 25): 02/08/21 10:26:11:039 create thread 0x6dc with thread ID 7904
(T7904)Debug(5193): 02/08/21 10:26:11:039 NetworkDiscoverThread: network discover thread starts.
(T7904)Debug(5258): 02/08/21 10:26:11:039 NetworkDiscoverThread: wait for network discover event.
(T15632)Debug( 25): 02/08/21 10:26:11:039 create thread 0x6d4 with thread ID 15744
(T15744)Debug(5811): 02/08/21 10:26:11:039 HipReportThread: HipReportThread starts up.
(T15744)Debug(5844): 02/08/21 10:26:11:039 HipReportThread: wait for HIP report ready event.
(T15632)Debug( 25): 02/08/21 10:26:11:039 create thread 0x698 with thread ID 15876
(T15876)Debug(6159): 02/08/21 10:26:11:039 NetworkConnectionMonitorThread: network connection monitor thread starts.
(T15632)Debug( 25): 02/08/21 10:26:11:039 create thread 0x554 with thread ID 15872
(T15872)Debug( 167): 02/08/21 10:26:11:039 Start HipCheckThread
(T15872)Debug( 210): 02/08/21 10:26:11:039 HipCheckThread started...
(T15872)Debug( 216): 02/08/21 10:26:11:039 HipCheckThread: wait for hip check event for 3600000 ms);
(T15872)Dump ( 231): 02/08/21 10:26:11:039 HipCheckThread WinUWP: wait for hip check event for 60000 ms;
(T15632)Debug( 25): 02/08/21 10:26:11:039 create thread 0x528 with thread ID 15856
(T15856)Debug( 176): 02/08/21 10:26:11:039 Start HipMissingPatchThread
(T15856)Debug( 409): 02/08/21 10:26:11:039 HipMissingPatchThread started...
(T15632)Debug( 25): 02/08/21 10:26:11:039 create thread 0x6ec with thread ID 2516
(T2516)Debug( 186): 02/08/21 10:26:11:039 Start HipMonitorThread
(T2516)Info ( 759): 02/08/21 10:26:11:039 HipMonitorThread starts
(T2516)Dump ( 397): 02/08/21 10:26:11:039 Wscapi.dll is loaded.
(T15632)Dump (12252): 02/08/21 10:26:11:039 CPanMSServiceWin::UpdateDisableGPSetting() - bDisabled=0.
(T2516)Dump ( 411): 02/08/21 10:26:11:039 Register -- WscRegisterForChanges
(T15632)Dump (2592): 02/08/21 10:26:11:039 pid is 11068
(T15632)Dump ( 218): 02/08/21 10:26:11:039 pid of PanGPA is 11068, m_dwPanGpAgentPid is 11068
(T15632)Debug(2630): 02/08/21 10:26:11:039 No user, using SSO
(T15632)Debug(10290): 02/08/21 10:26:11:039 Saved password is empty.
(T15632)Debug(2690): 02/08/21 10:26:11:039 Portal vpn.csinfra.nsw.gov.au, user , logonDomain GOVNET, saved user , path C:\Users\MINDLINM\AppData\Local\Palo Alto Networks\GlobalProtect\
(T15632)Debug(2756): 02/08/21 10:26:11:039 use proxy is 1
(T15632)Debug(2814): 02/08/21 10:26:11:039 Pre-logon-then-on-demand value is no
(T15632)Debug(1500): 02/08/21 10:26:11:039 SSO starts.
(T15632)Info (1529): 02/08/21 10:26:11:039 SSO ----- PanCredGet failed with error Element not found.
(T15632)Debug(1540): 02/08/21 10:26:11:039 SSO GetSsoCredential starts.
(T15632)Info (1570): 02/08/21 10:26:11:039 SSO ----- PanCredGet failed with error Element not found.

(T15632)Debug(10307): 02/08/21 10:26:11:039 SSO password is empty
(T15632)Debug(2920): 02/08/21 10:26:11:039 Empty username
(T15632)Dump (2938): 02/08/21 10:26:11:039 empty domain name.
(T15632)Debug(2952): 02/08/21 10:26:11:039 m_preUsername ___empty_username___
(T15632)Debug(10267): 02/08/21 10:26:11:039 Password is empty.
(T15632)Debug(7634): 02/08/21 10:26:11:039 Empty user for GetCachedPortalCfgOldNewFileName
(T15632)Debug(2973): 02/08/21 10:26:11:039 CheckCachedPortalForPrelogon 0, PrelogonNeedTimeout 0, RenameTimeout -1, userName ___empty_username___, preUsername ___empty_username___
(T15632)Debug(3135): 02/08/21 10:26:11:039 Use ssl tunnel is no
(T15632)Debug(3145): 02/08/21 10:26:11:039 bCheckCachedPortalForPrelogon: 0, m_bOnDemand: 0
(T15632)Debug(6645): 02/08/21 10:26:11:039 --Set state to Retrieving configuration...
(T15632)Dump ( 865): 02/08/21 10:26:11:039 status is Disconnected
(T15632)Dump ( 905): 02/08/21 10:26:11:039 stats.b_connected is 0, GetBestGateway is NULL.
(T15632)Debug(1964): 02/08/21 10:26:11:039 unknown network type.
(T15632)Debug(1057): 02/08/21 10:26:11:039 Display hip report V4 on the UI
(T15632)Dump (6394): 02/08/21 10:26:11:039
ResponseToClient.txt_output: <?xml version="1.0" encoding="UTF-8"?>
<response>
<type>status</type>
<status>Disconnected</status>
<protocol/>
<portal-config-version>0</portal-config-version>
<error-must-show/>
<error-must-show-level>error</error-must-show-level>
<error/>
<product-version>5.2.4-21</product-version>
<product-code>&quot;{717E7B2D-F4DF-4707-8024-E346F2E64F4F}&quot;</product-code>
<portal-status>Client Cert Required</portal-status>
<user-name/>
<username-type>sso</username-type>
<state>Retrieving configuration...</state>
<check-version>no</check-version>
<portal>vpn.csinfra.nsw.gov.au</portal>
<discover-ready>no</discover-ready>
<mdm-is-enabled>no</mdm-is-enabled>
</response>

(T15632)Dump (1603): 02/08/21 10:26:11:039 Send response to client for request status
(T15632)Dump (7183): 02/08/21 10:26:11:039 ServerThread: ProcessServerPortal -- GetConfigFromPortal
(T15632)Dump (3472): 02/08/21 10:26:11:039 Machine's device id is dbd72264-fbb9-4aab-9b99-ce2e9146660e
(T15632)Dump ( 162): 02/08/21 10:26:11:039 CPanRegKey GetValueString subKey is Software\Palo Alto Networks\GlobalProtect\Settings\pre-vpn-connect, value name is command
(T2516)Debug( 413): 02/08/21 10:26:11:039 HipMonitorThread wait for exit event.
(T2516)Dump ( 415): 02/08/21 10:26:11:039 before WaitForMultipleObjects
(T15632)Dump ( 162): 02/08/21 10:26:11:039 CPanRegKey GetValueString subKey is Software\Palo Alto Networks\GlobalProtect\Settings\pre-vpn-connect, value name is context
(T15632)Dump ( 162): 02/08/21 10:26:11:039 CPanRegKey GetValueString subKey is Software\Palo Alto Networks\GlobalProtect\Settings\pre-vpn-connect, value name is timeout
(T15632)Dump ( 162): 02/08/21 10:26:11:039 CPanRegKey GetValueString subKey is Software\Palo Alto Networks\GlobalProtect\Settings\pre-vpn-connect, value name is file
(T15632)Dump ( 162): 02/08/21 10:26:11:039 CPanRegKey GetValueString subKey is Software\Palo Alto Networks\GlobalProtect\Settings\pre-vpn-connect, value name is checksum
(T15632)Dump ( 162): 02/08/21 10:26:11:039 CPanRegKey GetValueString subKey is Software\Palo Alto Networks\GlobalProtect\Settings\pre-vpn-connect, value name is error-msg
(T15632)Dump ( 162): 02/08/21 10:26:11:039 CPanRegKey GetValueString subKey is Software\Palo Alto Networks\GlobalProtect\Settings\post-vpn-connect, value name is command
(T15632)Dump ( 162): 02/08/21 10:26:11:039 CPanRegKey GetValueString subKey is Software\Palo Alto Networks\GlobalProtect\Settings\post-vpn-connect, value name is context
(T15632)Dump ( 162): 02/08/21 10:26:11:039 CPanRegKey GetValueString subKey is Software\Palo Alto Networks\GlobalProtect\Settings\post-vpn-connect, value name is file
(T15632)Dump ( 162): 02/08/21 10:26:11:039 CPanRegKey GetValueString subKey is Software\Palo Alto Networks\GlobalProtect\Settings\post-vpn-connect, value name is checksum
(T15632)Dump ( 162): 02/08/21 10:26:11:039 CPanRegKey GetValueString subKey is Software\Palo Alto Networks\GlobalProtect\Settings\post-vpn-connect, value name is error-msg
(T15632)Dump ( 162): 02/08/21 10:26:11:039 CPanRegKey GetValueString subKey is Software\Palo Alto Networks\GlobalProtect\Settings\pre-vpn-disconnect, value name is command
(T15632)Dump ( 162): 02/08/21 10:26:11:039 CPanRegKey GetValueString subKey is Software\Palo Alto Networks\GlobalProtect\Settings\pre-vpn-disconnect, value name is context
(T15632)Dump ( 162): 02/08/21 10:26:11:039 CPanRegKey GetValueString subKey is Software\Palo Alto Networks\GlobalProtect\Settings\pre-vpn-disconnect, value name is timeout
(T15632)Dump ( 162): 02/08/21 10:26:11:039 CPanRegKey GetValueString subKey is Software\Palo Alto Networks\GlobalProtect\Settings\pre-vpn-disconnect, value name is file
(T15632)Dump ( 162): 02/08/21 10:26:11:039 CPanRegKey GetValueString subKey is Software\Palo Alto Networks\GlobalProtect\Settings\pre-vpn-disconnect, value name is checksum
(T15632)Dump ( 162): 02/08/21 10:26:11:039 CPanRegKey GetValueString subKey is Software\Palo Alto Networks\GlobalProtect\Settings\pre-vpn-disconnect, value name is error-msg
(T15632)Dump (7687): 02/08/21 10:26:11:039 entering.
(T15632)Dump ( 789): 02/08/21 10:26:11:039 vpn.csinfra.nsw.gov.au is not ipv6
(T15632)Debug(12844): 02/08/21 10:26:11:039 Portal's ipv4 address 143.119.161.5
(T15632)Debug(7734): 02/08/21 10:26:11:039 SSO enable status is 1, user name is ___empty_username___, domain name is .
(T15632)Dump (7737): 02/08/21 10:26:11:039 reset user authentication status to true.
(T15632)Dump ( 362): 02/08/21 10:26:11:039 COSVersion::OSProductName - fetch OS productName successful = Windows 10 Enterprise
(T15632)Dump ( 362): 02/08/21 10:26:11:039 COSVersion::OSProductName - fetch OS productName successful = Windows 10 Enterprise
(T15632)Dump ( 127): 02/08/21 10:26:11:039 Skip calling GetProductInfo for Windows 10
(T15632)Debug(2214): 02/08/21 10:26:11:039 open http session. agent is PAN GlobalProtect/5.2.4-21 (Microsoft Windows 10 Enterprise , 64-bit)
(T15632)Dump ( 362): 02/08/21 10:26:11:039 COSVersion::OSProductName - fetch OS productName successful = Windows 10 Enterprise
(T15632)Dump ( 362): 02/08/21 10:26:11:039 COSVersion::OSProductName - fetch OS productName successful = Windows 10 Enterprise
(T15632)Dump ( 127): 02/08/21 10:26:11:039 Skip calling GetProductInfo for Windows 10
(T15632)Debug( 465): 02/08/21 10:26:11:039 winhttp SetSecureProtocol, hSession=2bf0a370, bAllProtocol=0, gbFips=0
(T15632)Dump (1618): 02/08/21 10:26:11:039 Auto detect proxy for host vpn.csinfra.nsw.gov.au
(T15632)Dump ( 90): 02/08/21 10:26:11:039 GetProxyInfo
(T15632)Dump ( 362): 02/08/21 10:26:11:039 COSVersion::OSProductName - fetch OS productName successful = Windows 10 Enterprise
(T15632)Dump ( 362): 02/08/21 10:26:11:039 COSVersion::OSProductName - fetch OS productName successful = Windows 10 Enterprise
(T15632)Dump ( 127): 02/08/21 10:26:11:039 Skip calling GetProductInfo for Windows 10
(T15632)Debug( 465): 02/08/21 10:26:11:039 winhttp SetSecureProtocol, hSession=2b383240, bAllProtocol=0, gbFips=0
(T15632)Dump ( 102): 02/08/21 10:26:11:039 Proxy auto detect timeout 5 seconds
(T15632)Dump ( 106): 02/08/21 10:26:11:039 dwAveTimeout 1333 ms
(T15632)Dump ( 116): 02/08/21 10:26:11:039 Auto detect proxy url
(T15632)Debug( 120): 02/08/21 10:26:11:039 GetProxyInfo, autoConfigUrl=http://proxy.govconnect.nsw.gov.au:9090/proxy.pac
(T15632)Debug( 128): 02/08/21 10:26:11:039 GetProxyInfo, winhttpgetproxyforurl failed, lastError=12167
(T15632)Dump ( 134): 02/08/21 10:26:11:039 Auto detect proxy
(T15632)Debug(1635): 02/08/21 10:26:11:039 SetProxyForHost(https://vpn.csinfra.nsw.gov.au/ timeout:5 AutoDetect:1 url:http://proxy.govconnect.nsw.gov.au:9090/proxy.pac proxy: bypass: proxystr:
(T15632)Dump (1660): 02/08/21 10:26:11:039 m_proxyInfo.dwAccessType is 0, m_proxyInfo.lpszProxy is (null)
(T15632)Dump (11713): 02/08/21 10:26:11:039 Scep clean
(T15632)Dump (11715): 02/08/21 10:26:11:039 Clean m_pScepCert
(T15632)Dump (3715): 02/08/21 10:26:11:039 Clean m_szScepCertPanName
(T15632)Debug(6693): 02/08/21 10:26:11:039 ----Portal Pre-login starts----
(T15632)Debug(4891): 02/08/21 10:26:11:039 TriggerCaptivePortalDetection() return due to captive portal detection is in progress (0) or PreLogin is Done (1)
(T15632)Debug( 559): 02/08/21 10:26:11:062 Network is reachable
(T15632)Debug(6726): 02/08/21 10:26:11:063 Pre-login...,verifyportalcert=yes
(T15632)Dump ( 789): 02/08/21 10:26:11:063 vpn.csinfra.nsw.gov.au is not ipv6
(T15632)Debug(10696): 02/08/21 10:26:11:063 Check cert of server 143.119.161.5
(T15632)Dump ( 146): 02/08/21 10:26:11:063 pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer
(T15632)Dump (1463): 02/08/21 10:26:11:063 File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(T15632)Debug(10711): 02/08/21 10:26:11:063 File C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer does not exist.
(T15632)Debug( 780): 02/08/21 10:26:11:063 SSL connecting to 143.119.161.5
(T15632)Dump ( 789): 02/08/21 10:26:11:063 143.119.161.5 is not ipv6
(T15632)Dump ( 469): 02/08/21 10:26:11:063 Receive timeout is 30
(T15632)Dump ( 516): 02/08/21 10:26:11:063 Connect timeout is 5
(T15632)Dump ( 572): 02/08/21 10:26:11:063 ii: 0 res->ai_family: 2
(T15632)Dump ( 575): 02/08/21 10:26:11:063 Found IPv4 address
(T15632)Debug( 559): 02/08/21 10:26:11:070 Network is reachable
(T15632)Dump ( 64): 02/08/21 10:26:11:072 connect returns 10035(A non-blocking socket operation could not be completed immediately.)
(T15632)Dump (1315): 02/08/21 10:26:11:086 SSL_connect: initialization
(T15632)Dump (1315): 02/08/21 10:26:11:086 SSL_connect: write client hello A
(T15632)Dump (1315): 02/08/21 10:26:11:097 SSL_connect: read server hello A
(T15632)Dump (1315): 02/08/21 10:26:11:097 SSL_connect: read server certificate A
(T15632)Dump (1315): 02/08/21 10:26:11:097 SSL_connect: read server certificate request A
(T15632)Dump (1315): 02/08/21 10:26:11:097 SSL_connect: read server done A
(T15632)Dump (1315): 02/08/21 10:26:11:097 SSL_connect: write client certificate A
(T15632)Dump (1315): 02/08/21 10:26:11:097 SSL_connect: write client key exchange A
(T15632)Dump (1315): 02/08/21 10:26:11:097 SSL_connect: write change cipher spec A
(T15632)Dump (1315): 02/08/21 10:26:11:097 SSL_connect: write finished A
(T15632)Dump (1315): 02/08/21 10:26:11:097 SSL_connect: flush data
(T15632)Dump (1315): 02/08/21 10:26:11:113 SSL_connect: read finished A
(T15632)Debug(1247): 02/08/21 10:26:11:113 Failed to X509_LOOKUP_load_file
(T15632)Debug( 366): 02/08/21 10:26:11:113 Open_SSL_connection: subject '/C=AU/ST=New South Wales/L=Sydney/O=Department of Customer Service/CN=*.csinfra.nsw.gov.au'
(T15632)Debug( 370): 02/08/21 10:26:11:113 Open_SSL_connection: issuer '/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K'
(T15632)Dump ( 826): 02/08/21 10:26:11:113 StandardizeIpv6Format host=vpn.csinfra.nsw.gov.au
(T15632)Dump ( 789): 02/08/21 10:26:11:113 vpn.csinfra.nsw.gov.au is not ipv6
(T15632)Dump ( 895): 02/08/21 10:26:11:113 standardized name is vpn.csinfra.nsw.gov.au
(T15632)Dump ( 907): 02/08/21 10:26:11:113 count = 1
(T15632)Dump ( 914): 02/08/21 10:26:11:113 alt current_name_type=2
(T15632)Dump ( 917): 02/08/21 10:26:11:113 alt name=*.csinfra.nsw.gov.au
(T15632)Dump ( 962): 02/08/21 10:26:11:113 sub alt name=*.csinfra.nsw.gov.au
(T15632)Dump (1067): 02/08/21 10:26:11:113 MFAuthHandleMsg: Check domain name vpn.csinfra.nsw.gov.au versus CN name *.csinfra.nsw.gov.au
(T15632)Dump ( 789): 02/08/21 10:26:11:113 vpn.csinfra.nsw.gov.au is not ipv6
(T15632)Dump (1044): 02/08/21 10:26:11:113 vpn.csinfra.nsw.gov.au is not ipv4
(T15632)Debug(1113): 02/08/21 10:26:11:113 Name vpn.csinfra.nsw.gov.au matches pattern *.csinfra.nsw.gov.au
(T15632)Debug( 967): 02/08/21 10:26:11:113 Hostname vpn.csinfra.nsw.gov.au matches sub alt name *.csinfra.nsw.gov.au
(T15632)Dump ( 977): 02/08/21 10:26:11:113 check subalt returns 1
(T15632)Dump ( 803): 02/08/21 10:26:11:113 Disconnect SSL
(T15632)Debug(1323): 02/08/21 10:26:11:113 OpenSSL alert write:warning:close notify
(T15632)Dump ( 814): 02/08/21 10:26:11:113 Disconnect tcp socket
(T15632)Dump (10835): 02/08/21 10:26:11:113 CheckServerCert() returns 0x1002
(T15632)Dump (1044): 02/08/21 10:26:11:113 vpn.csinfra.nsw.gov.au is not ipv4
(T15632)Dump ( 789): 02/08/21 10:26:11:113 vpn.csinfra.nsw.gov.au is not ipv6
(T15632)Dump ( 767): 02/08/21 10:26:11:113 vpn.csinfra.nsw.gov.au is fqdn
(T15632)Dump (2750): 02/08/21 10:26:11:113 portal proxyparam is empty
(T15632)Dump (2772): 02/08/21 10:26:11:113 OID, oid=
(T15632)Debug(2669): 02/08/21 10:26:11:113 encpostdata, encpostdata=000002302BFA2790, encpostdatalen=176
(T15632)Debug(2838): 02/08/21 10:26:11:113 REQID=2,IPADDR=vpn.csinfra.nsw.gov.au,PORT=443,URL=/global-protect/prelogin.esp,POST=1,PROXY_AUTO=1,PROXY_CFGURL=http://proxy.govconnect.nsw.gov.au:9090/proxy.pac,PROXY=NULL,PROXY_BYPASS=NULL,PROXY_USER=NULL,PROXY...
(T15632)Dump ( 865): 02/08/21 10:26:11:113 status is Disconnected
(T15632)Dump ( 905): 02/08/21 10:26:11:113 stats.b_connected is 0, GetBestGateway is NULL.
(T15632)Debug(1605): 02/08/21 10:26:11:129 Send response to client for request https_request
(T15632)Dump (2868): 02/08/21 10:26:11:129 gpapintimeout not set, set it to 600 seconds
(T15632)Debug(2948): 02/08/21 10:26:11:231 receive pan_msg_ping, 3
(T15632)Debug(2948): 02/08/21 10:26:11:331 receive pan_msg_ping, 2
(T15632)Dump (2954): 02/08/21 10:26:11:331 retid =2
(T15632)Dump (2960): 02/08/21 10:26:11:331 reqid matchs, continue...
(T15632)Debug(6838): 02/08/21 10:26:11:331 prelogin to portal result is
<?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Error</status>
<ccusername></ccusername>
<autosubmit></autosubmit>
<msg>Valid client certificate is required</msg>
<newmsg>Required client certificate not found. Please contact your IT administrator.</newmsg>
<authentication-message></authentication-message>
<username-label></username-label>
<password-label></password-label>
<panos-version>1</panos-version><region>AU</region>
</prelogin-response>
(T15632)Debug(6873): 02/08/21 10:26:11:331 REGION-PRIO, region code is AU
(T15632)Debug(12657): 02/08/21 10:26:11:331 REGION-PRIO, save region code AU
(T15632)Debug(7088): 02/08/21 10:26:11:331 prelogin status is Error
(T15632)Error(7091): 02/08/21 10:26:11:331 pre-login error message: Valid client certificate is required
(T15632)Dump (2241): 02/08/21 10:26:11:331 close WinHttp close handle.
(T15632)Debug(7917): 02/08/21 10:26:11:331 Non-OnDemand mode valid client cert is required.
(T15632)Info (9558): 02/08/21 10:26:11:331 Portal config does not exist, try registry/plist
(T15632)Dump (9568): 02/08/21 10:26:11:331 Failed to get version from config, try local
(T15632)Info (7931): 02/08/21 10:26:11:331 failed to retrieve value of the tag version.
(T15632)Debug(7942): 02/08/21 10:26:11:331 Failed to get portal config from portal vpn.csinfra.nsw.gov.au.
(T15632)Debug(7973): 02/08/21 10:26:11:331 Try to restore last portal config from file.
(T15632)Dump ( 146): 02/08/21 10:26:11:331 pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\PanSCEP_c34f377586ce2187f2acba2566f4b655.cer
(T15632)Dump ( 146): 02/08/21 10:26:11:331 pan_get_full_path(): full path in multibyte char is C:\Program Files\Palo Alto Networks\GlobalProtect\PanSCEP_c34f377586ce2187f2acba2566f4b655.pfx
(T15632)Debug(8020): 02/08/21 10:26:11:331 Skip retrieve cached portal configuration for empty user
(T15632)Debug(7952): 02/08/21 10:26:11:331 Set portal status to valid client cert needed.
(T15632)Debug(7962): 02/08/21 10:26:11:331 portal status is Client Cert Required.
(T15632)Dump (7966): 02/08/21 10:26:11:331 returns 0.
(T15632)Debug(7233): 02/08/21 10:26:11:331 Portal required client certificate is not found.
(T15632)Dump (4358): 02/08/21 10:26:11:331 Set registry LastErrorString as Required client certificate not found. Please contact your IT administrator.
(T15632)Dump ( 865): 02/08/21 10:26:11:331 status is Disconnected
(T15632)Dump ( 905): 02/08/21 10:26:11:331 stats.b_connected is 0, GetBestGateway is NULL.
(T15632)Debug(1964): 02/08/21 10:26:11:331 unknown network type.
(T15632)Debug(1057): 02/08/21 10:26:11:331 Display hip report V4 on the UI
(T15628)Debug(2381): 02/08/21 10:26:11:331 Setting debug level to 6
(T15632)Dump (6394): 02/08/21 10:26:11:331
ResponseToClient.txt_output: <?xml version="1.0" encoding="UTF-8"?>
<response>
<type>status</type>
<status>Disconnected</status>
<protocol/>
<portal-config-version>0</portal-config-version>
<error-must-show/>
<error-must-show-level>error</error-must-show-level>
<error>Required client certificate not found. Please contact your IT administrator.</error>
<product-version>5.2.4-21</product-version>
<product-code>&quot;{717E7B2D-F4DF-4707-8024-E346F2E64F4F}&quot;</product-code>
<portal-status>Client Cert Required</portal-status>
<user-name/>
<username-type>sso</username-type>
<state>Disconnected</state>
<check-version>no</check-version>
<portal>vpn.csinfra.nsw.gov.au</portal>
<discover-ready>no</discover-ready>
<mdm-is-enabled>no</mdm-is-enabled>
</response>

(T15632)Dump (1603): 02/08/21 10:26:11:331 Send response to client for request status
(T15632)Dump (11128): 02/08/21 10:26:11:331 Set m_bPreviousSwitchOffMsg to 0

on the device that is not working.

open up IE, settings, internet options, content, certificates.

check that you have a personal certificate that has been issued by the same root CA as on the working device and that it has not expired.

 

It may be that the certificates are used from the machine store... so you may also need to check that location with mmc snap-in.

 

MickBall_0-1612790093307.png

 

L7 Applicator

also...   try to browse to the portal address from IE https. see if you get the same error...

Thank you for your response

In IE, I do not see any personal certificate.
When I try to import (.cer, p7b) - it says imported successfully, but a
certificate does NOT appear in the list.

I cannot export from a working device, when using the file format "Personal
Information Exchange". Error says: "the export failed. Key not valid for
use in specified state."

In IE, I cannot connect to the portal. It freezes endlessly "Waiting"

"so you may also need to check that location with mmc snap-in."

How I check it?

I see the certificates in IE - Internet Options - Content - Certificates - Other People

The certificate cannot be used from the “other people” store.

The cert needs to be in personal or machine store.

 

where exactly are you getting that cert from and how was that cert originally imported.

 

it sounds like it may have been a cert for a specific domain member, if so then you will struggle with export/import.

 

mmc can be run from command prompt. Select certificates and then local.   You can perform various tasks via right click but you will still be limited to what you can do with an intended user certificate.

The certificate cannot be used from the “other people” store.

The cert needs to be in personal or machine store.

>>>How I transfer from "other people" to "personal"?

 

where exactly are you getting that cert from and how was that cert originally imported.

>>>The certificates should come from a central place (I do not know). They should be "downloaded automatically", as our support says.
Just one day, GlobalProtect started to show the error (see the topic).
The second device was created recently, after the first device stopped to connect due to the error with certificates.
Actually, I tried to export/import them from a new device. No success.

 

it sounds like it may have been a cert for a specific domain member, if so then you will struggle with export/import.

>>>My question is can we export/import the certificates? Yes, it is cert for a specific domain member.

 

mmc can be run from command prompt. Select certificates and then local.   You can perform various tasks via right click but you will still be limited to what you can do with an intended user certificate.

>>>What I do with mmc?

 

 

no you cannot import export domain certs for specific users.

 

is the user certificate on the failing laptop in date or perhaps it has expired.

 

try to compare the certificate on the failing laptop with the certificate on a laptop that connects without errors.

 

mmc certificate snap-in can be used to view and move certificates around but this will not help because of the certificate type. (domain)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!