This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About svanarts
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About svanarts
10-28-2022
3Posts
0Likes
0Solutions
Oct 28, 2022Last Visited
User
Activity
User
Profile
Latest posts by svanarts
| Subject | Views | Posted |
|---|---|---|
| 444 | 10-13-2022 01:47 PM | |
| 479 | 10-13-2022 08:59 AM | |
| 1836 | 02-10-2017 01:39 PM |
User Badges
Community Statistics
| Member Since | 02-10-2017 01:33 PM |
| Date Last Visited | 10-28-2022 12:47 PM |
| Posts | 3 |
10-13-2022
04:35 PM
Is the "server certificate is invalid" error message when you are connecting to the Portal or the Gateway? (The client connects to the Portal first, downloads the client config and a list of Gateways to connect to, then disconnects and connects to a Gateway to actually pass VPN traffic). From the GlobalProtect and System logs you should be able to see which stage it is reaching:
portal-prelogin ->
portal-auth ->
portal-getconfig ->
gateway-prelogin ->
gateway-auth ->
gateway-register ->
gateway-getconfig ->
gateway-setup-IPSec ->
gateway-connected
You can also go the the GP client and view the connection log. Write down the exact system time you start, try to connect to the VPN, then go to the GP client App menu->Settings->Troubleshooting->Collect Logs. Preferably run this just after the failure message. This dumps out a huge zip file of different logs. In the PanGPA.log you will see a detailed file of all the connection steps (it is very large and can be quite confusing if you dont know what you r looking for). You should be able to pick out the connection, the server certificate received, and why the GP client rejected it (unknown CA, failed check, etc.).
You will obviously need the public root/intermediate CAs, used to sing the public certificate on the Portal/Gateways, on the endpoint machines... But since you said this was a public authority sign cert I would assume those are already installed by the OS. There is an option in the GP client config to disable server certificate checking if you want to try that as a temporary workaround:
GlobalProtect->Portals->[config]->Agent->[config]->App->Allow User to Continue with Invalid Portal Server Certificate: Yes/No
I could have sworn there is also an optional configuration under App that allowed you to tell the client to only accept certain server certificates for authentication, but I can't find it at the moment.
... View more
02-13-2017
09:09 AM
@svanarts; The advantage of v-wire is that there really isn't anything additional to troubleshoot. You'll still get all of the same alerts through the managmenet interface; you never actually see the firewall on the network, and you can still take actions to actually stop the connections.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-28-2022
12:47 PM
|
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks