GlobalProtect is failing HIP Certificate Checks with Error "socket error 97 (Address family not supported by protocol)"

GlobalProtect is failing HIP Certificate Checks with Error "socket error 97 (Address family not supported by protocol)"

3204
Created On 07/26/23 15:48 PM - Last Modified 03/11/25 23:03 PM


Symptom


HIP certificate check was failing for GlobalProtect users and following error message was seen in PanGPS.log:

Debug( 599): Failed to connect to ocsp.sectigo.com on 80 with return value -1 and socket error 97(Address family not supported by protocol)
Info (1421): pan_ocsp_parse_response() failed

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS versions
  • GlobalProtect App
  • HIP Object with Certificate check
  • Certificate profile with OCSP check enabled

Cause


  • OCSP Responder not reachable from the Client.
  • DNS resolution failure.

Resolution


Ensure the OCSP responder reachable for clients.

Additional Information


  • HIP objects using certificate check category, the associated certificate profile with OCSP check enabled would show OCSP errors in PanGPS.log,
  • When certificate profile with OCSP check enabled is used for client certificate authentication, OCSP check failures would be seen on firewall’s sslmgr.log, not on GP client side logs.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kINzCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language