Trying to get an LSVPN setup (GlobalProtect Satellite) working and getting this error when the Satellite tries to authenticate to the Gateway: "Missing Server certificate profile". I can't find any information on this error anywhere. [Edit: CLI logs show this is actually "Missing Satellite certificate profile". However, I still can't find any information on what that actually means, nor where/how to fix it.] The Satellite (PA200 running PanOS 8.1.20) connects to the Portal (PA5220 running PanOS 9.1.10), successfully authenticates using the serial number, and downloads the Gateway configuration info. The Satellite connects to the Gateway (PA220 running PanOS 9.1.10), attempts to authenticate, and just sits there. The Gateway Info for the IPSec tunnel just shows "inactive". The GlobalProtect logs on the Gateway show the certificate error message. I think this has to do with how the SSL certificate is generated for the Satellite, possibly around the CN/SAN attributes for the cert on the Satellite? But there's very little information out there on how these should be configured. I've tried separate certs with the following for the CN: serial number of the Satellite hostname of the Satellite as set in DNS hostname of the Satellite as set in Device tab --> Setup --> Management --> General Settings random words to see if the error message changes I've also tried with a single cert with all of the above set in CN/SAN simultaneously. This is using the same root CA cert that the existing/working GlobalProtect setup uses, the same naming conventions for the certs, etc. The certs are installed on the Portal, the Gateway, and the Satellite. Not sure what to check or test from here. We have a working GP setup with multiple Portals and Gateways across multiple firewalls. I just can't get the LSVPN setup working. Any ideas?
... View more