06-22-2012 09:20 AM
I am hoping someone could help.
We upgraded from firmware 6.3 to 7.2r2 and since then our NC doesnt work any more. However if I roll back to 6.3 it works perfectly.
There seems to be something different in the new version that is no longer allowing us to RDP to servers.
I have compared both configs and they are both the same, i just cant work out what is going.
JTAC even tried to login but encountered the same problem, thus it cant be any install fault because they would have had the same install files.
Solved! Go to Solution.
06-22-2012 10:42 AM
Couple of things...
Check your NC ACL maybe?
Also, are you accessing the severs via name or IP address, if by hostname, make sure your DNS settings are intact.
Is the problem isolated to a particular role?
Is RDP the only thing you're having a problem with?
Have you tried creating a new NC profile?
06-23-2012 05:05 AM
Trace route stops at the internal IP address which is listed at Sys > NW > Internal Port > Settings.
If I do a trace route back from the client pc that i am connected on with NC, it stops at the default IP: 10.200.200.200
06-23-2012 05:11 AM
my NC ACL settings are the same on both versions,, 6.3 and 7.2.
We dont use the DNS name, we connect the end points using IP addresses. I have checked that DNS server IP are maintained throughout both firmware versions and they are.
Not sure what it could be, but NC is having problems for us on 7.2, everything else is working prefectly fine, all realms have come up ok.
06-24-2012 01:52 PM
Under Sys > Network > NC
All i have is * under the IP Address Filter
This is back on 6.3 as I had to roll it back due to business requirements, but will be back to testing 7.2 on tuesday.
06-24-2012 10:32 PM
Please take a client side network connect log ,a wireshark capture from the NC adapter,policy trace and a TCP dump from the SA internal port when it is in 6.3 and working.
This will help us in investigation the issue
06-26-2012 04:57 AM
We saw a ton of issues when regression testing the 7.2R2 build, including hostchecker breaking. We determined that the 7.2R2 build is junk. Install the 7.1R10 build and you'll be much happier.
08-21-2012 02:18 AM
We would be interested to find out the root cause and find out what broke in 7.2x code as we have had a couple of similar cases but could not get the logs we need as systems were immediately rolled back.The logs required would be a system snapshot with debug logging enabled for event code ipsec at level 20 and size 20,wireshark from NC adapter, SA TCP dump,route print output after NC connection and client side debug log with 7.2x code and corresponding set of same logs on 7.1rx code where it is working fine
We have tried replicating this in lab and could not replicate the same behavior so these logs above will help
Please do let us know when you again plan to upgrade to 7.2r3 code, we can maybe take a small downtime and troubleshoot and collect logs for engineering to debug the issue, when you plan to do that, please open a new case and inbox me the JTAC case number.
08-23-2012 06:27 AM
Hi Juniper Guy,
Could you please let me know if the NC IP pool is in a different subnet to your internal network and if you have a route on the firewall with destination as the NC IP pool subnet and gateway as the Cluster internal VIP IP(if the device is in a cluster)
09-27-2012 11:35 PM
Not sure if you had the same issue I did but in the Configuration->System ->Network->VPN Tunneling page there is a horribly worded "VPN Tunnel Server IP Address" with that weird IP address of 10.200.200.200 or something.
What this field should say is "Default gateway of Network Connect clients" or something better since there is almost no documentation for that section.
This should be the the gateway of the subnet that connects the SA device to your client pool. I have no idea why they have that 10.200.200.200 or whatever IP address in there, but if you don't set it correctly, its by some miracle that NC would even work with this version.
Let me try to clarify this..
My SA device is using 10.120.5.5 for the internal port.
Under the resource profiles for VPN tunneling, I created a connection profile, created an IP address pool using 10.120.6.2-10.120.6.254.
I set a static route in my core router that looks something like: ip route 10.120.6.0 255.255.255.0 10.120.5.5
Therefore, my VPN Tunnel Server IP Address is set to 10.120.6.1 and all is well with NC clients routing.
Hope this helps...
12-19-2012 12:55 AM
We also had issues with an upgrade to 7.2, we managed to deeply troubleshoot the issue with Juniper Support. As a result they released a new KB : KB26381
"[SSL VPN/MAG] Network Connect users are unable to access internal resources after upgrading to 7.2RX or higher versions"