Palo Alto Networks Knowledgebase: GlobalProtect app on Android 6.0+ cannot establish VPN connection using IP address

GlobalProtect app on Android 6.0+ cannot establish VPN connection using IP address

5121
Created On 02/07/19 23:44 PM - Last Updated 02/07/19 23:45 PM
VPNs
Symptom

Symptoms

GlobalProtect app running on Android 6.0 or later cannot establish the VPN connection when: 

 

  • The root CA certificate for GlobalProtect Portal/Gateway is in Trusted Credentials on the Android device.
  • And the GlobalProtect Portal/Gateway Certificate Common Name (CN) is IP address.

 

In this case, the following error message will be displayed : Cannot connect to GlobalProtect portal

Error-on-AndroidVM-001.png

 

 

Gp.log from GlobalProtect app shows the following errors:

(6227)01/05 17:55:33:120201 - javax.net.ssl.SSLPeerUnverifiedException: Hostname 192.168.206.1 not verified:
certificate: sha1/5BHzss0x9EpOd9YtEPZcwtCNaOQ=
DN: CN=192.168.206.1,ST=Tokyo,C=JP
subjectAltNames: [192.168.206.1]
(6227)01/05 17:55:33:120352 - exception GetHttpResponse, response code is 0
(6227)01/05 17:55:33:120521 - response from server is:
null, exception Message: Hostname 192.168.206.1 not verified:
certificate: sha1/5BHzss0x9EpOd9YtEPZcwtCNaOQ=
DN: CN=192.168.206.1,ST=Tokyo,C=JP
subjectAltNames: [192.168.206.1]
eType:javax.net.ssl.SSLPeerUnverifiedException: Hostname 192.168.206.1 not verified:
certificate: sha1/5BHzss0x9EpOd9YtEPZcwtCNaOQ=
DN: CN=192.168.206.1,ST=Tokyo,C=JP
subjectAltNames: [192.168.206.1]
(6227)01/05 17:55:33:120557 - (l5)JNI,6243,508,not handled, ret=error, javax.net.ssl.SSLPeerUnverifiedException: Hostname 192.168.206.1 not verified:
certificate: sha1/5BHzss0x9EpOd9YtEPZcwtCNaOQ=
DN: CN=192.168.206.1,ST=Tokyo,C=JP
subjectAltNames: [192.168.206.1], return NULL now

 

Diagnosis

This is due to a new behavior of Android 6.0+.

 

Starting from Android 6.0, if the CN is an IP address in a certificate, the IP address should also be in Subject Alternative Name(SAN) as iPAddress subAltName. If the IP address is missing from iPAddress subAltName, certification verification will fail.

 

For older Android versions, the certification verification will pass as long as the CN matches.

 

 

 



Resolution

Generate a certificate for GlobalProtect Portal/Gateway that have iPAddress subAltName field, and replace the existing certificates.

 

The following screen shot shows how to set iPAddress Subject Alternative Name on the Palo Alto Netrwork Next-Generation Firewall.

 

In generating a certificate, add "IP" Type and input the IP address as the Value in Certificate Attributes field:

iPAddress-subAltName-PANFW001.png 

 

The generated certificate shows IP Address value in Subject Alternative Name Field:

cert-on-windows-001.png

 

Set this certificate for GlobalProtect Portal/Gateway certificates.  After that, the VPN connection can be established.

 

Please see the following guide for deploying GlobalProtect Server Certificate: 

Deploy Server Certificates to the GlobalProtect Components

 

  

Another available workaround is removing the CA certificate from the Android phone (Generally from "Setting > Security > Trusted credentials").

 

In this case, GlobalProtect app shows "Untrsuted Certificate" warning message once (as shown below), then the connection will be established.

 

error-on-AndroidVM-001.png

 

This is not recommended generally because users should check destination Portal/Gateway validity manually.



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloyCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language