GlobalProtect users are disconnected multiple time a day

GlobalProtect users are disconnected multiple time a day

19193
Created On 04/15/21 11:30 AM - Last Modified 09/23/21 22:13 PM


Symptom


  • Users are experiencing multiple disconnects for GlobalProtect throughout the day.
  • Error's seen in PanGPS.log's below
      SSL connection failing 
(T7360)Debug( 316): 02/19/21 12:57:13:585 SSL connect failed(T7360)Info (4694): 02/19/21 12:57:13:585 ConnectSSL: Failed to connect to '172.16.0.11:443'
      GlobalProtect client is attempting to send a hip report check to the gateway using https 
(T7360)Debug(5128): 02/19/21 12:57:13:494 using https to send hip report check to gateway plano.gppanw.com
      SSL Error indicating failed due to certificate verify 
(T7360)Debug(  60): 02/19/21 12:57:13:585 detailed SSL error info:
(T7360)Debug(  63): 02/19/21 12:57:13:585 *** error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
(T7360)Debug( 793): 02/19/21 12:57:13:585 connect() failed
      While initiating a connection to the gateway 172.16.0.11, there is a proxy connection that gets established.  
(T7360)Debug( 329): 02/19/21 12:57:13:495 host 172.16.0.11, proxy=127.0.0.1, port=9000, isIpv6=0
(T7360)Debug( 550): 02/19/21 12:57:13:495 host is 172.16.0.11, port=443, isIpV6=0, bProxy=1, proxyhost=127.0.0.1, proxyport=9000
(T7360)Debug( 559): 02/19/21 12:57:13:505 Network is reachable
(T7360)Debug( 621): 02/19/21 12:57:13:506 try to connect to proxy, nProxyIP=0100007f, proxyPort=9000, proto=6
(T7360)Debug( 627): 02/19/21 12:57:13:506 connect to proxy now
(T7360)Debug( 200): 02/19/21 12:57:13:506 s=3224, destName=172.16.0.11, nPort=443, nProxyIP=0100007f, nProxyPort=9000, proxyuser=, proxypass=
(T7360)Debug( 263): 02/19/21 12:57:13:561 Proxy connection established
     The certificate verification then fails with the following error messages 
certification verification failed

OpenSSL alert write:fatal:certificate unknown

 *** error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Environment


  • GlobalProtect App
  • Zscaler installed on client system

Cause


Tthird-party proxy application (Zscaler in this case) is intercepting the connections to the GlobalProtect Portal/Gateway and issuing the proxy certificate instead of the configured certificate configured on the Portal/Gateway.
  • From the PanGPS.log you can see "Open_SSL_connection" has the incorrect issuer for the GlobalProtect server certificate as seen below.
(T7648)Debug( 366): 02/19/21 12:56:43:596 Open_SSL_connection: subject '/C=US/ST=TX/O=Palo Alto Networks/CN=*.gppanw.com' (T9556)'
(T7648)Debug( 366): 02/19/21 12:56:43:596 Open_SSL_connection: issuer '/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscloud.net) (t) '
  • The screenshot below shows the configured Certificate on PAN-OS issuer "PA.root.local"  for the GlobalProtect server certificate:
User-added image
  • This causes the verification for the server certificate to fail as the client cannot verify this certificate chain.

Resolution


Exclude the GlobalProtect Portal/Gateway IP Address on the third-party application that is acting as a proxy on the client machine.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001V95CAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language