Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Gateway's fingerprint changes randomly during a SSL VPN

Hello friends,

We are facing a very odd behaviour with a customer gateway related to a SSL VPN with SNX and I'd like to get some feedbacks from you.

Sometimes, at the beginning of the connection, we get a "Gateway fingerprint verification failed. Please contact your system administrator" and the connections attempt is terminated (see attached image)

In other situations, some user is able to connect successfully, but after some random time (something between 10 minutes and 2 hours) a popup window is shown with "Gateway's fingerprint has changed..." (see attached image) and the connections is broken after the user click to yes (or no). This keep happening systematically with several users, but not all.

What is very odd:

- This seams to be initiated after a URL change in the Mobile Access portal. eg.: changed from vpn123.acme.com to vpn.acme.com. As the certificate configured is a wildcard (eg. *.acme.com) there wasn't needed to swap for another one.

- The old fingerprint, which is the correct fingerprint, is exactly the same shown in the gateway properties, Mobile Access > Portal config.

- The new fingerprint appears to be random (we got at least 3 fingerprints values). I searched for them on the GuiDBEdit, but there isn't any gateway associated with them.

- Revert the URL back to the old configuration doesn't solve the problem.

- Some users neve get the problem.

We already have a SR opened with TAC, but with anyone got this in the past, I'd really like to hear from.

 

Best regards

old-new-fingerprint.pngfingerprint-verification-error.png

 

1 Reply
Highlighted
Admin
Admin

The only reason I can see the fingerprint changing is: the gateway certificate changes, or there is a "man in the middle" performing HTTPS Inspection that is presenting a new certificate to the client/
Since you've confirmed it's not the former, it must be the latter.