Unable to Access GlobalProtect Due to Error (3659)
Symptom
The following error appears when a user attempts to connect to the GlobalProtect portal:
Error(3659): Protocol error. Check server certificate. Failed to ssl connect to 'gp.server.certificate', Disconect ssl and returns false.
Environment
- Global protect
- Server Certificate
Cause
When the user is trying to access the GlobalProtect portal the connection is successful. However, when the user tries to connect to the gateway the connection terminates with the Error (3659). This error is found in the GlobalProtect logs on the client end, which can be found by accessing Troubleshooting, under Log select PanGP Service and for Debug Level select Error.
Once the user clicks on the Start button they will receive the following error:
Protocol error. Check server certificate. Failed to ssl connect to '<GlobalProtect_server:port> Disconnect ssl and returns false.
Resolution
This error indicates there is a problem with the SSL certificate profile due to the following reasons:
1.The server certificate is not valid. To resolve, go to Network > Portal >Authentication > SSL/TLS Service Profile . Double Check which SSL/TLS Service Profile and the certificate is used by the server in the general settings. make sure used the same setting under the Network > Gateway >Authentication > SSL/TLS Service Profile.2.Check if the certificate is valid by going to Device > Certificate Management > Certificates > Device Certificates:
3.The client is attempting to access an incorrect server certificate, make certain to specify the correct server certificate.
4.There is a server certificate that became invalid or expired. When a new valid server certificate was created and called, the client still used the original invalid server certificate. Reinstall the GlobalProtect client by accessing the GlobalProtect portal so the client pulls the latest certificate.