This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About NinthShot
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About NinthShot
6Posts
0Likes
0Solutions
Last Visited
User
Activity
User
Profile
Latest posts by NinthShot
| Subject | Views | Posted |
|---|---|---|
| 6563 | 03-17-2015 01:05 PM | |
| 6679 | 03-16-2015 08:15 AM | |
| 1880 | 01-27-2012 04:28 PM | |
| 2314 | 01-27-2012 06:44 AM | |
| 1875 | 10-30-2011 02:43 PM | |
| 2333 | 10-11-2011 04:45 PM |
User Badges
Community Statistics
| Member Since | 08-30-2011 03:09 PM |
| Date Last Visited | |
| Posts | 6 |
03-17-2015
01:05 PM
No, not yet. I was going to check with the community first and then open a support case if nobody here knew anything.
... View more
03-16-2015
08:15 AM
Hello- I'm running a PA-500 on with GlobalProtect for VPN access. Just recently our users started experiencing an issue wherein they try to connect and receive a "Client Certificate Error" error dialog. However, after they click OK to close the dialog, the agent connects anyway. I investigated the issue myself and found what follows below. Note that I initiated the connection at around 19:24 and closed it at around 19:33. Environment: Firewall OS: 5.0.14 GlobalProtect Client: 1.2.5-2 User OS: Windows 7 (all our users are Win 7, so I can't determine whether this is OS-specific) The exported PanGPA log reports this at the time of making the connection: (T4860) 03/15/15 19:24:39:713 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED (T4860) 03/15/15 19:24:39:900 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED (T2844) 03/15/15 19:24:48:683 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED (T4328) 03/15/15 19:24:49:354 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED (T3180) 03/15/15 19:24:57:154 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED The exported PanGPS log reports this (I've removed IP addresses): (T2080) 03/15/15 12:13:26:571 Error( 80): Failed to open sub key 'Software\Palo Alto Networks\VPN Agent\PanSetup' (T2176) 03/15/15 19:24:39:619 Error( 95): SSL connect failed (error:00000001:lib(0):func(0):reason(1)) (T2176) 03/15/15 19:24:39:619 Error( 141): connect() failed (T2176) 03/15/15 19:24:39:619 Error(7805): Protocol error. Check server certificate. Failed to ssl connect to '<Portal IP>:443', Disconect ssl and returns false. (T2176) 03/15/15 19:24:45:891 Error(12151): pre-login error message: GlobalProtect portal does not exist (T2176) 03/15/15 19:24:45:891 Error(8298): pan_obj_get_value() failed with tag client-cert. Returns false. (T2176) 03/15/15 19:24:45:891 Error(11000): Failed to export client cert. (T4256) 03/15/15 19:24:45:984 Error( 95): SSL connect failed (error:00000001:lib(0):func(0):reason(1)) (T4256) 03/15/15 19:24:45:984 Error( 141): connect() failed (T4256) 03/15/15 19:24:45:984 Error(7805): Protocol error. Check server certificate. Failed to ssl connect to ' <Portal IP> :443', Disconect ssl and returns false. (T4264) 03/15/15 19:24:51:444 Error(13520): CheckHipMissingPatchInOtherProcess(): Wait timeout for process PanGpHipMp.exe (T4264) 03/15/15 19:28:56:737 Error(13520): CheckHipMissingPatchInOtherProcess(): Wait timeout for process PanGpHipMp.exe (T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[0] (0.0.0.0) failed (Element not found. ) (T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[1] (<Some IP 1>) failed (Element not found. ) (T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[2] ( <Some IP 2> ) failed (Element not found. ) (T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[3] ( <Some IP 1> ) failed (Element not found. ) (T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[4] ( <Some IP 2> ) failed (Element not found. ) (T2960) 03/15/15 19:32:49:270 Error(1739): UnsetRoutes: No route installed before (T2960) 03/15/15 19:33:01:339 Error(1199): IpReleaseAddress done (T2176) 03/15/15 19:33:01:558 Error( 95): SSL connect failed (error:00000001:lib(0):func(0):reason(1)) (T2176) 03/15/15 19:33:01:558 Error( 141): connect() failed (T2176) 03/15/15 19:33:01:558 Error( 978): ConnectSSL: Failed to connect to ' <Portal IP> :443' (T2176) 03/15/15 19:33:01:558 Error(1025): ConnectSSL(false) failed (T2176) 03/15/15 19:33:01:558 Error(1221): Logout: SendNReceive() failed (T2176) 03/15/15 19:33:01:558 Error(2013): Disconnect: Logout() failed One of the first things I did was check out the certificates assigned to the clients, and they all appear to be fine. At least, nothing in them was changed or expired. I also checked out the firewall's system logs and they don't give a hint of any error (they just show a successful authentication and connection), which leads me to believe that the error is completely client-side. Does anybody have any input on this? I like that my users can still connect, but for obvious reasons I don't like seeing certificate errors that are apparently being ignored...if the logs say " Failed to ssl connect " but it connects anyway, then what's it using to connect? Not an unencrypted, non-SSL connection, I hope. I'm hesitant to use the VPN until I can resolve this. By the way, this seems to be a possibly related and unanswered question: https://live.paloaltonetworks.com/message/43849 Thank you.
... View more
Labels:
- Labels:
-
Troubleshooting
01-27-2012
04:28 PM
Hello- Thank you for your reply. I've gotten as far as establishing the local CA and creating user certificates; where I'm getting hung up is where I apply those certificates vs. the certificates self-issued by the firewall (the ones that, to my understanding, are used to establish the link between the firewall and the VPN client). Thanks again.
... View more
01-27-2012
06:44 AM
Hello- I currently have a PA-500 running 4.1.2 and am trying to configure a client certificate-based VPN as outlined in this document: However, that document is for the old NetConnect (pre-4.1.x) VPNs so I've been trying to merge the instructions contained therein with the the 4.1.x GlobalProtect instructions: I have been able to get the appropriate certificates installed on user machines and uploaded to the firewall. At this point, however, I'm unsure on how to proceed--when configuring the portal where do I use the firewall-supplied CA/certificates and where do I use the server-supplied CA/certificates? Furthermore, I'm pretty green on the whole certificates and VPN thing. I've used both and have some understanding of them, but this is my first time implementing a VPN (on a Palo Alto device or otherwise). Does anybody know of some sort of "VPN basics" guide here on the Palo Alto site that will assist someone with his first PA VPN setup? I've found plenty of technical guides but most of these assume some familiarity with the subject that I apparently lack. Thanks for any help you can provide.
... View more
- Tags:
- globalprotect
- vpn
10-30-2011
02:43 PM
Well, that was simple. Thanks for the help.
... View more
10-11-2011
04:45 PM
Hello- I have a new PA500 (running 4.0.4) that I've set up and am now trying to tie to Active Directory in order to create user-based policies. I have everything configured to my knowledge, but I'm not getting any user-IP mappings on the firewall. I installed what I believe to be the latest AD agent, 3.1.2 (filename PanAgent-3.1.2.msi), on my server and configured it as follows (using made-up IP addresses and domains for this example): Domain Name: mydomain.com Port Number: 31200 Domain Controller Address: 1.1.1.1 Allow List: 1.1.1.0/24 Filter Group: mydomain\users I am able to successfully view the user-ip mappings and groups through the configuration program. I have also configured the agent settings on the PA500 as follows: Agent Type: userid-agent Name: userid-AD IP Address: 1.1.1.1 Port: 31200 Furthermore, I've enabled the agent on the trusted zone through the following settings: Enable User Identification: Yes Include List: addr-localnet (1.1.1.0/24) I believe that this is all I have to do to get the user-IP mappings to work but I am not seeing any such mappings on the firewall. If I consult the PA500's logs I find: UserID connected to agent userid-AD(1.1.1.1) version 3, initiated by 1.1.1.2 and Pan-Agent connected: IP 1.1.1.1 port 31200, initiated by 1.1.1.2 However, if I consult the agent's logs on the server I find it filled with the following error: New Connection(1.1.1.2:<port>) Socket(<socket>) SSL read error in pan_host_agent_rcv_data -2-16-0 Connection(1) is closed! If I run show user userid-agent statistics on the CLI I get an output like follows: Server: userid-AD(vsys: vsys1) Address: 1.1.1.1:31200 Connection : Not Connected Version : <Unknown> number of connection tried : 5295 number of connection succeeded : 5224 number of connection failed : 71 number of user ip mapping messages received : 0 number of user ip mapping add entries received : 0 number of user ip mapping del entries received : 0 number of ip msgs rcvd but failed to process : 0 number of status messages received : 0 number of request of ip mapping messages sent : 0 number of request of all ip mapping messages sent : 0 number of request of status messages sent : 0 I'm at a loss here and hope that this is enough information for somebody to help me out. Does anybody have any ideas on why my mappings aren't working? I don't know whether this is applicable at all, but my Web GUI gives me a certificate error when I attempt to access it. Thanks for any help you can provide.
... View more
Labels:
- Labels:
-
User-ID
Contact Me
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks