Unable to Access GlobalProtect Due to Error (3659)

Unable to Access GlobalProtect Due to Error (3659)

223166
Created On 09/26/18 13:48 PM - Last Modified 03/16/22 03:31 AM


Symptom

 

The following error appears when a user attempts to connect to the GlobalProtect portal:

 Error(3659): Protocol error. Check server certificate. Failed to ssl connect to 'gp.server.certificate', Disconect ssl and returns false.

 



Environment
  • Global protect
  • Server Certificate


Cause

When the user is trying to access the GlobalProtect portal the connection is successful. However, when the user tries to connect to the gateway the connection terminates with the Error (3659). This error is found in the GlobalProtect logs on the client end, which can be found by accessing Troubleshooting, under Log select PanGP Service and for Debug Level select Error.

Capture.JPG

 

Once the user clicks on the Start button they will receive the following error:

Protocol error. Check server certificate. Failed to ssl connect to '<GlobalProtect_server:port> Disconnect ssl and returns false.

Capture.JPG



Resolution

 

This error indicates there is a problem with the SSL certificate profile  due to the following reasons:

1.The server certificate is not valid. To resolve, go to Network > Portal >Authentication  > SSL/TLS Service Profile  . Double Check which  SSL/TLS Service Profile and the certificate is used by the server in the general settings. make sure used the same setting under the Network > Gateway >Authentication  > SSL/TLS Service Profile.              Screen Shot 2022-03-15 at 8.15.20 PM.png
Screen Shot 2022-03-15 at 8.17.12 PM.png
   
2.Check if the certificate is valid by going to Device > Certificate Management > Certificates > Device Certificates:
      Screen Shot 2022-03-15 at 8.15.33 PM.png


3.The client is attempting to access an incorrect server certificate, make certain to specify the correct server certificate.
4.There is a server certificate that became invalid or expired. When a new valid server certificate was created and called, the client still used the original invalid server certificate. Reinstall the GlobalProtect client by accessing the GlobalProtect portal so the client pulls the latest certificate.

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clq0CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language