GlobalProtect Client fails to connect due to client certificate error after upgrading to GP 6.0.5 or later in iOS devices

GlobalProtect Client fails to connect due to client certificate error after upgrading to GP 6.0.5 or later in iOS devices

11397
Created On 02/22/23 02:14 AM - Last Modified 08/10/24 02:37 AM


Symptom


  • GlobalProtect (GP) client upgraded from 6.0.4 to 6.0.5 in iOS device.
  • After upgrade, the GP Client fails to connect to Portal/Gateway due to a client certificate error.
  • The error is seen in PanGPS.log
10:36:29:097 Debug(7351): ----Portal Pre-login starts----
/snip/
10:36:29:334 Info ( 647): Server is trusted xxxxxxxx.gpcloudservice.com(xxxxxxxx.gpcloudservice.com)
10:36:29:336 Debug(1038): Received challenge NSURLAuthenticationMethodClientCertificate, queue [NSOperationQueue 0x102d26210 (QOS: USER_INITIATED)]
10:36:29:338 Debug( 742): credentialWithIdentity chain count 0
10:36:29:338 Info ( 792): Using preset identity
10:36:29:339 Info ( 895): Final identity: [xxxxxxxx.com]
10:36:29:340 Debug( 510): Unable to extract extended key usage from cert <cert(0x102a52210) s: xxxxxxxx.com i: xxxxxxxx.com>  
10:36:29:340 Error( 340): Identity <SecIdentityRef: 0x102a11db0> usage mismatch 
    KeyCertSign
)
10:36:29:340 Info ( 904): Final identity cannot be used, cancel
10:36:29:343 Error( 537): Connection error Error Domain=NSURLErrorDomain Code=-999 "Canceled" UserInfo={NSErrorFailingURLStringKey=https://xxxxxxxx.gpcloudservice.com:443/global-protect/prelogin.esp, NSLocalizedDescription=Canceled, NSErrorFailingURLKey=https://xxxxxxxx.gpcloudservice.com:443/global-protect/prelogin.esp}
/snip/
P 707-T3843  01/30/2023 10:36:29:355 Debug( 421): m_errorDetails is Client cert usage check failed.  
P 707-T3843  01/30/2023 10:36:29:355 Debug(7515): prelogin to portal result is 
(null)
P 707-T3843  01/30/2023 10:36:29:355 Debug(7839): Failed to pre-login to the portal xxxxxxxx.gpcloudservice.com with return value 0(0).

Environment


  • GlobalProtect (GP) App
  • Version 6.0.5 or later
  • iOS device

Cause


  • The key usage check for a client certificate has been added into GP 6.0.5.
  • The client certificate should have a "extended key usage" with "Client Authentication" (OID 1.3.6.1.5.5.7.3.2)

Resolution


  1. Configure the Client certificate which has "extended key usage,
  2. After configuration, the connectivity should work fine.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kH48CAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language