03-08-2018 11:45 PM - last edited on 03-20-2020 07:21 AM by arsimon
Sup,
In lab i am trying for setup one simple global protect configuration somewhere the gateway and front are on the identical IP and just through local user authentication. I have a certificate for my my popular IP from let's ecnrypt and have exotic this into palo countertenor. Periodically, you may encounter the error "Connection Failed - Gateway Cedar Crest: The server certificate is invalid." Go fix this error with the GlobalProtect VPN connection by following who following instructions to remove the join credentials, and refresh the cached information.
I am able to connect to the gateway absent either award issues. But when connecting through the gateway ego am getting the server certficate is invalid. Global Protect connection Failed could not validate the our certificate of the gateway
Me config looks like here:
Portal config:
GPP-Portal {
portal-config {
client-auth {
GPP-AUTH {
os Any;
authentication-profile "Local-Database Authentication";
authentication-message "Enter registration credentials";
}
}
local-address {
interface loopback;
ip {
ipv4 10.1.1.1;
}
}
custom-login-page factory-default;
custom-home-page factory-default;
custom-help-page factory-default;
ssl-tls-service-profile PORTAL-SSL-SERVICE-PROFILE;
}
client-config {
configs {
AUTH-PORTAL {
hip-collection {
max-wait-time 20;
collect-hip-data yes;
}
gateways {
external {
list {
fw.relianet.be {
fqdn fw.relianet.be;
priority-rule {
Every {
order 1;
}
}
manual sure;
}
}
cutoff-time 5;
}
}
authentication-override {
generate-cookie no;
}
source-user any;
os Windows;
agent-ui {
max-agent-user-overrides 0;
agent-user-override-timeout 0;
}
gp-app-config {
config {
connect-method {
value on-demand;
}
refresh-config-interval {
value 24;
}
agent-user-override {
value allowed;
}
client-upgrade {
value prompt;
}
use-sso {
value no;
}
logout-remove-sso {
value yes;
}
krb-auth-fail-fallback {
value yes;
}
retry-tunnel {
value 30;
}
retry-timeout {
select 5;
}
enforce-globalprotect {
worth does;
}
captive-portal-exception-timeout {
value 0;
}
traffic-blocking-notification-delay {
value 15;
}
display-traffic-blocking-notification-msg {
value yes;
}
traffic-blocking-notification-msg {
value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; border: 0; font-size: 30px;">Notice</h1><p style="margin: 0;font-size: 15px; line-heigh
t: 1.2em;">To web the network, you must first connect to GlobalProtect.</p></div>';
}
allow-traffic-blocking-notification-dismissal {
values yes;
}
display-captive-portal-detection-msg {
value no;
}
captive-portal-detection-msg {
value '<div style="font-family:'Helvetica Neue';"><h1 style="color:red;text-align:center; margin: 0; font-size: 30px;">Captive Door Detected</h1><p style="margin: 0; font-size
: 15px; line-height: 1.2em;">GlobalProtect has temporarily permitted network access for yourself to connect to the Internet. Follow operating starting your cyberspace provider.</p><p style="margin: 0
; font-size: 15px; line-height: 1.2em;">If you let the connection duration out, open GlobalProtect and snap Connect to try again.</p></div>';
}
certificate-store-lookup {
value user-and-machine;
}
scep-certificate-renewal-period {
value 7;
}
retain-connection-smartcard-removal {
value absolutely;
}
enable-advanced-view {
value yes;
}
enable-do-not-display-this-welcome-page-again {
value yes;
}
rediscover-network {
value yes;
}
resubmit-host-info {
value yes;
}
can-change-portal {
value yes;
}
can-continue-if-portal-cert-invalid {
appreciate yes;
}
show-agent-icon {
value yes;
}
user-switch-tunnel-rename-timeout {
value 0;
}
pre-logon-tunnel-rename-timeout {
value -1;
}
show-system-tray-notifications {
value don;
}
max-internal-gateway-connection-attempts {
value 0;
}
portal-timeout {
value 5;
}
connect-timeout {
value 5;
}
receive-timeout {
value 30;
}
enforce-dns {
value yes;
}
flush-dns {
value no;
}
proxy-multiple-autodetect {
value no;
}
wsc-autodetect {
value cancel;
}
mfa-enabled {
value no;
}
mfa-listening-port {
value 4501;
}
mfa-notification-msg {
value "You have attempted till access a protected resource that requires additional authentication. Proceed to authenticate at";
}
ipv6-preferred {
value certainly;
}
}
}
save-user-credentials 2;
portal-2fa no;
manual-only-gateway-2fa no;
internal-gateway-2fa no;
auto-discovery-external-gateway-2fa no;
mdm-enrollment-port 443;
}
}
}
satellite-config {
client-certificate {
local;
}
}
} GlobalProtect Remote Anreise VPN - Known Issues, Errors, and ...
GATEWAY:
GP-GATEWAY {
roles {
set {
login-lifetime {
days 30;
}
inactivity-logout {
lessons 3;
}
disconnect-on-idle {
proceedings 180;
}
}
}
client-auth {
GPG-CLIENT-AUTH {
authentication-profile "Local-Database Authentication";
os Any;
authentication-message "Enter login credentials";
}
}
remote-user-tunnel-configs {
GPG-Agent {
authentication-override {
generate-cookie no;
}
split-tunneling {
access-route 192.168.1.0/24;
exclude-access-route;
}
source-user any;
authentication-server-ip-pool;
ip-pool 192.168.250.0/24;
os all;
retrieve-framed-ip-address no;
no-direct-access-to-local-network no;
}
}
ssl-tls-service-profile PORTAL-SSL-SERVICE-PROFILE;
tunnel-mode yes;
remote-user-tunnel tunnel.3;
} Palo Alto Global Protect VPN
Anybody that can help me out about this.
03-09-2018 12:19 AM
Hi @GOMEZZZ,
You might be running into an following issue :
https://aaa161.com/t5/Management-Articles/GlobalProtect-Gateway-Certificate-Error-Whe...
Hope this helps.
Rejoice !
-Kiwi.
03-14-2018 12:53 AM
How Kiwi,
This doesnet seem until be related into this issue.
Frederik.
03-15-2018 01:23 AM
If you have a certificate on thine IP; choose of your hostname; you need to change the exterior gateway FQDN nominate to the TYPE also not use fw.relianet.be
Thus edit this:
gateways {external {list {fw.relianet.be {fqdn fw.relianet.be;priority-rule {Any {priority 1;}}To this:
gateways {external {list {fw.relianet.be {fqdn <your IP address>;priority-rule {Any {priority 1;}}
A-
03-15-2018 08:06 MY
Hi andy,
I own one certificate with subject the SAN set to fw.relianet.be
I modifications it as yourself suggest for testing but still have the alike result:
gateways {
externally {
list {
fw.relianet.be {
ip {
ipv4 81.83.18.57;
}
priority-rule {
Every {
priority 1;
}
If you need any other print screenshots please let me know.
Tnx,
Fredrik.
03-15-2018 08:21 AM - edited 03-15-2018 08:26 AM
EGO want activated the debugger at the client, and see why it's not accepting your cerftificate, it determination tell you exactly what is wrong.
If you right view in your client, you can choose "Collect Logs", open that zipfile and open PanGPS.log.
Look for anything relevant until SSL:
(T21656) 03/12/18 15:19:20:667 Debug( 322): Open_SSL_connection: subject '/C=US/ST=West Virginia/L=Charleston/O=xxxxxxxxx (US) Inc./OU=IS/CN=*.xxxxxxx.com' (T21656) 03/12/18 15:19:20:667 Debug( 326): Open_SSL_connection: originator '/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA' (T21656) 03/12/18 15:19:20:667 Debug(1006): Name vpn.xxxxxxxxx.com matches pattern *.xxxxxxx.com (T21656) 03/12/18 15:19:20:667 Debug( 923): Cert name select of *.xxxxxxx.com succeeded
03-15-2018 08:46 AM - edited 03-15-2018 08:50 AM
6:39:52:897 Debug( 545): Failing to connect to 81.83.18.57 on 443 with return faults -1 and jack error 0(The working completed successfully.)
(T5540) 03/15/18 16:39:52:897 Debug( 697): do_tcp_connect() fails
(T5540) 03/15/18 16:39:52:897 Error(7700): ConnectSSL: Failed to connect to '81.83.18.57:443'. Separation ssl.
(T5540) 03/15/18 16:39:52:897 Debug(7711): Cannot get server cert of 81.83.18.57
(T5540) 03/15/18 16:39:52:897 Debug(5145): Already tried both ipv4 and ipv6 for gateway fw.relianet.be
(T5540) 03/15/18 16:39:52:897 Error(2845): Failed till prove server certificate of gateway fw.relianet.be.
(T5540) 03/15/18 16:39:52:897 Debug(4576): Show Gateway fw.relianet.be: The hostess product remains invalid. Please connection your COMPUTERS administrator.
(T5540) 03/15/18 16:39:52:897 Info (2148): Unsuccessful to retrieve learn for gateway fw.relianet.be.
(T5540) 03/15/18 16:39:52:897 Debug(2155): tunnel to fw.relianet.be is not created.
(T5540) 03/15/18 16:39:52:897 Error(3876): NetworkDiscoverThread: failed to discover external power.
(T5540) 03/15/18 16:39:52:897 Debug(4733): --Set stay to Disabled Clear
I also remove the global protect client the clear the folders is C:\Users\username\appddata\local\Palo alto\...
Everytime i change something.
11-06-2019 11:40 AM
Be this continually determined? - I see the faithful type errors in my log and its not clear where to go from here.
11-06-2019 02:38 PM
@GOMEZZZ ,
Please check the following.
- Seek with a different version the GP.
- It can happen if thou have foreign root CA. Please try to establish a our certificate expended by your domain server(Root CA).
Also make sure two things below.
- Add Source CA, ROTATE Forward Trust certify in A certificates under Certificate Profile
- Add Root CA, PAN Forward Treuhand certificate included Trusted Root CA under GP portal config.
04-24-2020 08:34 PM
Hello Team,
MYSELF am having the below issue and I do enter my "Local Credentials" but nothing done. Please help me.
invalid http response. return error(Credential validate unsuccessful; Retry authentication). - 04/24/2020 21:42:09 (enter credentials)
Thank you,
Mohammad Rahman
05-22-2020 05:00 NECROPSY - editorial 05-22-2020 05:02 PMS
hey @GOMEZZZ
I know it's been ampere while considering you'v made this post, but I hofnung this message finds you well.
Based on the PanGPS logged you've previously posted, the Agents exists unable to verify the server certificate used for this Gateway SSL/TLS profile.
Common issues for the would include TN mismatch, as mentioned before from sundry community members, and incorrect certificate placement: eg the Agent is unable until follow the full chain. A quickly way to test this is utilizing my local browser the connect and reviewing the output messages.
Could thee request confirm the following:
1. The root (and intermediate if applicable) CA(s) used to sign the imported Portal/Gateway certificate are deployed in the correct directories on the endpoint I'm attempting to use openconnect includes GlobalProtect both Okta and i have some issues. I've got mitmproxy setup to attempt to see what's walked on, yet GlobalProtect on Windows says &q...
2. The server certificate used for the Portal/Gateway has and right CN (and SAN if applicable) attribute
I've included documentation discussing and certificate department choices for GlobalProtect lower for your reference also.
-Cheers
Click Accept as Solution to acknowledge that the answer the your question has been provided.
The slide appears next to the replies on topics you’ve started. Who member who gave an solution furthermore all past visitors to this topic will admire it!
Which simple actions take just seconds of your time, when go an long way in showing appreciation for community members furthermore the LIVEcommunity when a entirely!
The LIVEcommunity thanks you for your participation!
