Problem summary 

When the client machine does not have an intermediate cert stored in its truststore, it would need to validate the certificate over the internet – leading into a delay in validation, which can cause a timeout during SASE client authentication 

Details

Sometimes that Customer’s Windows machine may not have an Intermediate certificate (for ex, Sectigo below was not present in the Client’s laptop’s truststore) by default.

CA Certificate configured by Titan under Secure AccessàPortalàGateways is "Lets-Encrypt-Int-CA" by default and any changes here (changing it to a ca-chain which has all the root and intermediate CA) is overwritten by Titan.

In this state (w/o the Intermediate certificate on the client machine nor pushed by VOS during registration), every time the client connects to the GW client machine has to validate the Intermediate certificate over internet first, then wait for the VOS validation (IKE)  to get completed, during this time looks like client timeouts owing to the delay induced by validating the intermediate certificate over internet though the validation is completed on the VOS side at a later point of time. 

Workaround

To mitigate this Intermediate certificate validation by the client machine we uploaded the combined certificate (Root + Intermediate) with Chain Name with "Lets-Encrypt-Int-CA”, so it persists through the Titan publish and the Intermediate certificate in received/installed on the client machine during registration. 

Note: that you will need to manually concatenate the certificates into one file with the name Lets-Encrypt-Int-CA