LSVPN "Missing Satellite certificate profile" error on login

cancel
Showing results for 
Search instead for 
Did you mean: 

LSVPN "Missing Satellite certificate profile" error on login

L4 Transporter

Trying to get an LSVPN setup (GlobalProtect Satellite) working and getting this error when the Satellite tries to authenticate to the Gateway:  "Missing Server certificate profile".  I can't find any information on this error anywhere. [Edit: CLI logs show this is actually "Missing Satellite certificate profile".  However, I still can't find any information on what that actually means, nor where/how to fix it.]

 

The Satellite (PA200 running PanOS 8.1.20) connects to the Portal (PA5220 running PanOS 9.1.10), successfully authenticates using the serial number, and downloads the Gateway configuration info.

 

The Satellite connects to the Gateway (PA220 running PanOS 9.1.10), attempts to authenticate, and just sits there.  The Gateway Info for the IPSec tunnel just shows "inactive".  The GlobalProtect logs on the Gateway show the certificate error message.

 

I think this has to do with how the SSL certificate is generated for the Satellite, possibly around the CN/SAN attributes for the cert on the Satellite?  But there's very little information out there on how these should be configured.  I've tried separate certs with the following for the CN:

  • serial number of the Satellite
  • hostname of the Satellite as set in DNS
  • hostname of the Satellite as set in Device tab --> Setup --> Management --> General Settings
  • random words to see if the error message changes

I've also tried with a single cert with all of the above set in CN/SAN simultaneously.

 

This is using the same root CA cert that the existing/working GlobalProtect setup uses, the same naming conventions for the certs, etc.  The certs are installed on the Portal, the Gateway, and the Satellite.

 

Not sure what to check or test from here.  We have a working GP setup with multiple Portals and Gateways across multiple firewalls.  I just can't get the LSVPN setup working.

 

Any ideas?

2 REPLIES 2

L4 Transporter

Well, after working on it for over two hours last night, and another three hours this morning, I finally figured out what that absolutely useless error message was trying to tell me:  I had the wrong Gateway set in the Satellite tab on the Portal.  The Satellite was trying to connect to our regular GP Gateway, where there's no certificate profiles enabled (for obvious reasons).

 

Now the logs are showing me actually useful error messages on the Satellite:  certificate common name does not match the configured hostname on the satellite.  At least this tells me that the Satellite is trying to match the name in the certificate with the name of the Gateway and they're not matching up for some reason.

L4 Transporter

LSVPN tunnel is now connected and traffic is flowing over it.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!