Palo Alto Networks Knowledgebase: Error: Certificate CN mismatch while connecting GlobalProtect client

Error: Certificate CN mismatch while connecting GlobalProtect client

19838
Created On 02/08/19 00:03 AM - Last Updated 02/08/19 00:04 AM
GlobalProtect GlobalProtect cloud service
Resolution

Issue

When connecting to GlobalProtect from a client, the following Server Certificate Error displays:

GP CN mismatch.JPG

 

Cause

The issue occurs because the CN (FQDN or IP address) used to generate the certificate (Device > Certificate Management > Certificates) used as a server certificate is different from the CN or Common Name configured in the Network > GlobalProtect Portals > Portal profile > Client Configuration > Gateways > Internal or External Gateways Address.

2016-04-12_cn-example.png

2016-04-12_cn2.png

 

Resolution

  1. Ensure the CN is the same in the certificate (Device > Certificate Management > Certificates) being used as well as in the configuration of the GlobalProtect Portal here: Network > GlobalProtect Portals > Portal profile > Client Configuration > Gateways > Internal or External Gateways Address.
  2. If the CN is a FQDN, then ensure it's resolvable to the same IP address as used in the above configuration.
  3. If the certificate you use for GlobalProtect is not a CA certificate and is signed by a private CA, you will see the error even if you have installed the private CA as a trusted CA on the client machine and steps 1 and 2 are okay. Use a private CA for GlobalProtect and make sure steps 1 and 2 are fulfilled.

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljeCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language