GlobalProtect app running on Android 6.0 or later cannot establish the VPN connection when:
The root CA certificate for GlobalProtect Portal/Gateway is in Trusted Credentials on the Android device.
And the GlobalProtect Portal/Gateway Certificate Common Name (CN) is IP address.
In this case, the following error message will be displayed : Cannot connect to GlobalProtect portal
Gp.log from GlobalProtect app shows the following errors:
(6227)01/05 17:55:33:120201 - javax.net.ssl.SSLPeerUnverifiedException: Hostname 192.168.206.1 not verified:
certificate: sha1/5BHzss0x9EpOd9YtEPZcwtCNaOQ=
DN: CN=192.168.206.1,ST=Tokyo,C=JP
subjectAltNames: [192.168.206.1]
(6227)01/05 17:55:33:120352 - exception GetHttpResponse, response code is 0
(6227)01/05 17:55:33:120521 - response from server is:
null, exception Message: Hostname 192.168.206.1 not verified:
certificate: sha1/5BHzss0x9EpOd9YtEPZcwtCNaOQ=
DN: CN=192.168.206.1,ST=Tokyo,C=JP
subjectAltNames: [192.168.206.1]
eType:javax.net.ssl.SSLPeerUnverifiedException: Hostname 192.168.206.1 not verified:
certificate: sha1/5BHzss0x9EpOd9YtEPZcwtCNaOQ=
DN: CN=192.168.206.1,ST=Tokyo,C=JP
subjectAltNames: [192.168.206.1]
(6227)01/05 17:55:33:120557 - (l5)JNI,6243,508,not handled, ret=error, javax.net.ssl.SSLPeerUnverifiedException: Hostname 192.168.206.1 not verified:
certificate: sha1/5BHzss0x9EpOd9YtEPZcwtCNaOQ=
DN: CN=192.168.206.1,ST=Tokyo,C=JP
subjectAltNames: [192.168.206.1], return NULL now
Diagnosis
This is due to a new behavior of Android 6.0+.
Starting from Android 6.0, if the CN is an IP address in a certificate, the IP address should also be in Subject Alternative Name(SAN) as iPAddress subAltName. If the IP address is missing from iPAddress subAltName, certification verification will fail.
For older Android versions, the certification verification will pass as long as the CN matches.
Resolution
Generate a certificate for GlobalProtect Portal/Gateway that have iPAddress subAltName field, and replace the existing certificates.
The following screen shot shows how to set iPAddress Subject Alternative Name on the Palo Alto Netrwork Next-Generation Firewall.
In generating a certificate, add "IP" Type and input the IP address as the Value in Certificate Attributes field:
The generated certificate shows IP Address value in Subject Alternative Name Field:
Set this certificate for GlobalProtect Portal/Gateway certificates. After that, the VPN connection can be established.
Please see the following guide for deploying GlobalProtect Server Certificate: