Summary:
- The GP certificate was changed and users are getting " decrypt-error" when connecting to GP Internal Gateway (see screenshot).
- We reviewed the Portal config and found that the old inter mediate cert was still being user.
- We added the new intermediate certificate under Network/Portal/Agent and deleted the old intermediate certificate.
- That didn't fix the issue.
We don't "decrypt" anything and I have no idea why this is happening.
We learn more as we go along........
The userids for all users connecting to the Internal gateway on vsys3 were not being learnt by the firewall.
Hence all the traffic that were supposed to be processed by the firewall based on UserIDs on vsys3 were failing.
It has to be noted that that userid problem is only for all Internal users connecting to the Internal gateway.
userid is enabled on the zone. The userid information just being learned by the firewall???
Decrypt errors are just GlobalProtect failing to connect because the certificates don't match (gp uses ssl for it's portal config, so that needs to be negotiated and decrypted), so that error is to be expected Did you also change the certificate on the gateway(s)? Did you cover all the spots where certificates are used (did you update the existing profiles with the new cert or did you create a new one and have manually replaced the old profile?) Did you remove the old certificate to prevent any 'collisions' ?