03-16-2015 08:15 AM
Hello-
I'm running a PA-500 on with GlobalProtect for VPN access. Just recently our users started experiencing an issue wherein they try to connect and receive a "Client Certificate Error" error dialog. However, after they click OK to close the dialog, the agent connects anyway. I investigated the issue myself and found what follows below. Note that I initiated the connection at around 19:24 and closed it at around 19:33.
Environment:
Firewall OS: 5.0.14
GlobalProtect Client: 1.2.5-2
User OS: Windows 7 (all our users are Win 7, so I can't determine whether this is OS-specific)
The exported PanGPA log reports this at the time of making the connection:
(T4860) 03/15/15 19:24:39:713 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED
(T4860) 03/15/15 19:24:39:900 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED
(T2844) 03/15/15 19:24:48:683 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED
(T4328) 03/15/15 19:24:49:354 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED
(T3180) 03/15/15 19:24:57:154 Error(1172): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED
The exported PanGPS log reports this (I've removed IP addresses):
(T2080) 03/15/15 12:13:26:571 Error( 80): Failed to open sub key 'Software\Palo Alto Networks\VPN Agent\PanSetup'
(T2176) 03/15/15 19:24:39:619 Error( 95): SSL connect failed (error:00000001:lib(0):func(0):reason(1))
(T2176) 03/15/15 19:24:39:619 Error( 141): connect() failed
(T2176) 03/15/15 19:24:39:619 Error(7805): Protocol error. Check server certificate. Failed to ssl connect to '<Portal IP>:443', Disconect ssl and returns false.
(T2176) 03/15/15 19:24:45:891 Error(12151): pre-login error message: GlobalProtect portal does not exist
(T2176) 03/15/15 19:24:45:891 Error(8298): pan_obj_get_value() failed with tag client-cert. Returns false.
(T2176) 03/15/15 19:24:45:891 Error(11000): Failed to export client cert.
(T4256) 03/15/15 19:24:45:984 Error( 95): SSL connect failed (error:00000001:lib(0):func(0):reason(1))
(T4256) 03/15/15 19:24:45:984 Error( 141): connect() failed
(T4256) 03/15/15 19:24:45:984 Error(7805): Protocol error. Check server certificate. Failed to ssl connect to '<Portal IP>:443', Disconect ssl and returns false.
(T4264) 03/15/15 19:24:51:444 Error(13520): CheckHipMissingPatchInOtherProcess(): Wait timeout for process PanGpHipMp.exe
(T4264) 03/15/15 19:28:56:737 Error(13520): CheckHipMissingPatchInOtherProcess(): Wait timeout for process PanGpHipMp.exe
(T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[0] (0.0.0.0) failed (Element not found.)
(T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[1] (<Some IP 1>) failed (Element not found.)
(T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[2] (<Some IP 2>) failed (Element not found.)
(T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[3] (<Some IP 1>) failed (Element not found.)
(T2176) 03/15/15 19:32:49:238 Error(1767): UnsetRoutes: DeleteIpForwardEntry[4] (<Some IP 2>) failed (Element not found.)
(T2960) 03/15/15 19:32:49:270 Error(1739): UnsetRoutes: No route installed before
(T2960) 03/15/15 19:33:01:339 Error(1199): IpReleaseAddress done
(T2176) 03/15/15 19:33:01:558 Error( 95): SSL connect failed (error:00000001:lib(0):func(0):reason(1))
(T2176) 03/15/15 19:33:01:558 Error( 141): connect() failed
(T2176) 03/15/15 19:33:01:558 Error( 978): ConnectSSL: Failed to connect to '<Portal IP>:443'
(T2176) 03/15/15 19:33:01:558 Error(1025): ConnectSSL(false) failed
(T2176) 03/15/15 19:33:01:558 Error(1221): Logout: SendNReceive() failed
(T2176) 03/15/15 19:33:01:558 Error(2013): Disconnect: Logout() failed
One of the first things I did was check out the certificates assigned to the clients, and they all appear to be fine. At least, nothing in them was changed or expired. I also checked out the firewall's system logs and they don't give a hint of any error (they just show a successful authentication and connection), which leads me to believe that the error is completely client-side. Does anybody have any input on this? I like that my users can still connect, but for obvious reasons I don't like seeing certificate errors that are apparently being ignored...if the logs say "Failed to ssl connect" but it connects anyway, then what's it using to connect? Not an unencrypted, non-SSL connection, I hope. I'm hesitant to use the VPN until I can resolve this.
By the way, this seems to be a possibly related and unanswered question:
https://live.paloaltonetworks.com/message/43849
Thank you.
03-17-2015 01:05 PM
No, not yet. I was going to check with the community first and then open a support case if nobody here knew anything.
03-17-2015 01:13 PM
Could you please check the certificate common name is an IP address or a FQDN. For example, If the certificate is having IP address in the CN, you have to connect with IP from the GP client. Otherwise it will show you a certificate warning.
Thanks
01-04-2024 02:24 PM
I have seen error like this where in PA issuing cert was expired but Root Cert was not and PC machine cert was verified by the Root Cert on the PA.
Hope it helps.
Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
