Unable to connect the Terminal server agent after upgrading the firewall to 10.1.3
12582
Created On 05/22/22 06:57 AM - Last Modified 02/17/23 02:39 AM
Symptom
Unable to connect the Terminal server agent after upgrading the firewall to 10.1.3
Environment
- PaloAlto Firewall
- PAN-OS upgraded to 10.1.x
- Terminal Server agent
Cause
- Starting PAN-OS 10.0 the firewall to terminal server agent connection has the same level of secure checks as the User ID Agent (UIA).
- There is addition key usage and CN (Common Name) validations on the certificate provided by the terminal server agent on the firewall.
- If they are different, it is seen in the useridd log (less mp-log useridd.log) will indicate the CN on the certificate is different from the host name configured on the firewall.
debug: pan_user_id_perform_cn_validations(pan_user_id_ssl.c:1021): pan_user_id_perform_cn_validations failed
Error: pan_user_id_tsa_verify_def_cert_cb(pan_user_id_tsa.c:381): pan_user_id_perform_cn_validations failed
Resolution
Update the certificate and firewall config to reflect the same CN (Common Name).
Additional Information
- Configure Terminal Server Agent
- Refer Also: 10.1.5 addressed issues (PAN-184047) - Fixed an issue where Terminal Service agent (TS agent) connections with a certificate profile and the certificate chain on the TS agent failed. This occurred because common name validation and key usage checks were being performed in the root or intermediate certificate.