GlobalProtect client is getting "The certificate CN name mismatch" after performing the resolution of CVE-2024-5921.

GlobalProtect client is getting "The certificate CN name mismatch" after performing the resolution of CVE-2024-5921.

2202
Created On 01/23/25 02:36 AM - Last Modified 03/28/25 20:34 PM


Symptom


  • GlobalProtect client is getting "The certificate CN name mismatch" after performing the resolution of CVE-2024-5921.
    globalprotect_cn_name_mismatch 
  • A local proxy with PAC file is used for GlobalProtect.
  • If you try to access the portal address from browser via the proxy, the portal can be accessible.
  • From PanGPS.log, the following error is observed during portal login.
    (P6148-T4676)Dump (16630): 01/08/25 18:14:52:484 Full Chain Cert flag is set to: yes
(P6148-T4676)Error(13777): 01/08/25 18:14:52:484 pszDest is empty for CheckServerCert()
(P6148-T4676)Debug(10524): 01/08/25 18:14:52:484 Certificate verification result:0x0
(P6148-T4676)Debug(10682): 01/08/25 18:14:52:484 Need to send portal certificate verification message to PanGPA.
(P6148-T4676)Debug(10684): 01/08/25 18:14:52:484 Set state to Disconnected
(P6148-T4676)Debug(8110): 01/08/25 18:14:52:484 --Set state to Disconnected
  • From PanGPA.log, invalid_server_cert is observed. 
    (P16708-T14120)Debug( 325): 01/08/25 18:14:52:510 ===> response sent to GPI = <response><type>status</type><state>Disconnected</state><error></error><disabled>no</disabled></response>
(P16708-T14120)Debug( 125): 01/08/25 18:14:52:510 Received data from Pan Service
(P16708-T14120)Debug( 434): 01/08/25 18:14:52:510 Receive gps message with type portal-certificate-verification.
(P16708-T14120)Debug( 325): 01/08/25 18:14:52:510 ===> response sent to GPI = <response><type>invalid_server_cert</type><error>2064</error><server>xxxxx.gpcloudservice.com</server><disabled>no</disabled></response>
(P16708-T14120)Debug( 309): 01/08/25 18:14:52:510 message type from the service = portal-certificate-verification
<?xml version="1.0" encoding="UTF-8"?>
<response>
        <type>portal-certificate-verification</type>
        <status>Disconnected</status>
        <protocol/>
        ......(output Omitted)......
        <portal-status>Invalid portal</portal-status>
        ......(output omitted)......
        <error-code>2064</error-code>
</response>

Environment


  • GlobalProtect App version 6.2.6

Cause


Software Issue.

Resolution


Workaround:

  1. Add the portal address FQDN to the PAC file to access the portal directly.

Resolution:

  1. The issue will be fixed under GPC-22233.
  2. The fix is targeted to be released in the GP App version 6.3.3.

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HEt6CAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail