Problem Using New Digitally Signed Certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Problem Using New Digitally Signed Certificate

L2 Linker

Hi All,

 

One of our client has signed and imported a new certificate. It is showing as valid.

 

But when we apply necessary changes to use this certificate and try to connect. It is displaying this error

 

"Connection Failed:Gateway isp2-gw: Could not verify the server certificate of the gateway. If the issue persists, contact your administrator."

 

We have extracted debug logs for this and I am seeing this error.

 

(P5156-T19156)Debug(3644): 04/02/24 17:15:24:568 ----Gateway Pre-login starts----
(P5156-T19156)Debug(13345): 04/02/24 17:15:24:568 Check cert of server 202.57.50.146
(P5156-T19156)Debug( 931): 04/02/24 17:15:24:569 SSL connecting to 202.57.50.146
(P5156-T19156)Debug( 571): 04/02/24 17:15:24:574 Network is reachable
(P5156-T16668)Debug( 136): 04/02/24 17:15:24:594 Wait for the ready event of hip report generated in other process.
(P5156-T19156)Debug(1500): 04/02/24 17:15:25:295 Unable to verify server cert. Result is unable to get local issuer certificate
(P5156-T19156)Debug(1043): 04/02/24 17:15:25:295 Hostname 202.57.50.146 doesn't matche sub alt name remote2.watsons.com.ph
(P5156-T19156)Debug(1058): 04/02/24 17:15:25:295 CheckServerCertName: bFips false, validExtensionCount 1
(P5156-T19156)Debug(1066): 04/02/24 17:15:25:295 Hostname 202.57.50.146 doesn't match sub alt name or no sub alt name, fallback to CN
(P5156-T19156)Debug(1106): 04/02/24 17:15:25:295 Hostname 202.57.50.146 NOT match remote2.watsons.com.ph
(P5156-T19156)Debug(1537): 04/02/24 17:15:25:295 OpenSSL alert write⚠️close notify
(P5156-T19156)Debug(6529): 04/02/24 17:15:25:295 pretunnel latency (manual gateway) is 513
(P5156-T19156)Error(3702): 04/02/24 17:15:25:295 Failed to verify server certificate of gateway 202.57.50.146.
(P5156-T19156)Debug(5851): 04/02/24 17:15:25:295 Show Gateway isp2-gw: Could not verify the server certificate of the gateway. If the issue persists, contact your administrator.
(P5156-T19156)Info (2701): 04/02/24 17:15:25:295 Failed to retrieve info for gateway 202.57.50.146.
(P5156-T19156)Debug(2712): 04/02/24 17:15:25:295 tunnel to 202.57.50.146 is not created.
(P5156-T19156)Error(6907): 04/02/24 17:15:25:295 NetworkDiscoverThread: failed to discover external network.
(P5156-T19156)Debug(7986): 04/02/24 17:15:25:295 --Set state to Disconnected
(P5156-T19156)Debug(6971): 04/02/24 17:15:25:296 NetworkDiscoverThread: PortalStatus is 2, HasLoggedOnGateway is 0
(P5156-T19156)Debug(6973): 04/02/24 17:15:25:296 NetworkDiscoverThread: ((PORTAL_CACHED_CONFIG == m_nPortalStatus) && !m_bHasLoggedOnGateway)
(P5156-T19156)Debug(6994): 04/02/24 17:15:25:296 Network discovery is not ready, set GP VPN status as disconnected
(P5156-T19156)Debug(13515): 04/02/24 17:15:25:296 SetVpnStatus called with new status=0, Previous Status=0
(P5156-T7096)Debug(2625): 04/02/24 17:15:25:296 Setting debug level to 5
(P5156-T19156)Debug(4503): 04/02/24 17:15:25:296 UpdatePrelogonStateForSSO() - tunnel state = Disconnected
(P5156-T19156)Debug(11258): 04/02/24 17:15:25:296 CPanMSService::OnVpnStatusProxyAgent: tunnel only, stop the proxy.
(P5156-T20316)Debug(6101): 04/02/24 17:15:26:571 CPD, reset cp detection history
(P5156-T20316)Debug(2410): 04/02/24 17:15:26:571 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.2.1-132 (Microsoft Windows 11 Pro , 64-bit).
(P5156-T20316)Debug( 571): 04/02/24 17:15:27:178 Network is reachable
(P5156-T20316)Debug( 149): 04/02/24 17:15:27:442 CPD, pan_http_captive_portal_detection: status is 200
(P5156-T20316)Debug( 162): 04/02/24 17:15:27:442 CPD, pan_http_captive_portal_detection() - captive portal isn't detected against server.
(P5156-T20316)Debug(6114): 04/02/24 17:15:27:443 CPD, index=0, iRet=-1, lastError=0
(P5156-T20316)Debug(6132): 04/02/24 17:15:27:443 CPD, CaptivePortalDetectionThread: captive portal is not detected for CP server. iStatus = 200
(P5156-T20316)Debug(2410): 04/02/24 17:15:27:443 pan_get_gp_user_agent szGpUserAgent ua is PAN GlobalProtect/6.2.1-132 (Microsoft Windows 11 Pro , 64-bit).
(P5156-T20316)Debug( 571): 04/02/24 17:15:27:534 Network is reachable

 

Anything Significant we can look into this?

 

I am trying to look for articles similar to "Hostname 202.57.50.146 doesn't matche sub alt name remote2.watsons.com.ph" <-- because I think this is the cause.

 

But I cannot find any steps/guide to tshoot this.

 

Need your help.

 

Regards

Nicko

 

GlobalProtect 

 

3 REPLIES 3

Community Team Member

Hi @NickoKristian ,

 

The error "Hostname ABC doesn't match sub alt name XYZ" is usually an indication that the server certificate used in the SSL/TLS profile for gateway is incorrect.

 

I'd check the following:


Navigate to the portal settings > Agent > Agent config > External Gateways. 

 

Verify the FQDN for the gateway, provided in the above setting is matching the CN(common name) in the certificate called in the SSL/TLS profile, in the firewall.

 

Please use the appropriate certificate in the SSL/TLS profile with a CN (common name) that corresponds to the data given in the aforementioned portal settings.

 

Hope this helps,

Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi @kiwi 

 

Configuration for remote2.watsons.com.ph seems to be inplace.

 

What else can you suggest we need to check?

 

Please see attached picture

 

1.png

L2 Linker

 NS Lookup to google shows it at a

Name: remote2.watsons.com.ph
Address: 202.57.50.146

if your local endpoint cannot use DNS make this resolution, it will fail. For example If you are handing up to umbrella or some other dns filtering and the  url remote2.watsons.com.ph classified as malware or some other filtered category, resolution will fail and cause a disconnect between the url and the CN/SAN in the cert. . If that is not the case, run nslookup or dig against the record on the  local host and see if it resolves to the correct address. I suspect a DNS issue. 

Edit: 

Also make sure you are using the DNS name in the GP Portal field and not the IP address.

-Nathan
  • 1241 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!