Pulse Secure formerly SSL VPN
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 216
Registered: ‎08-02-2011
0 Kudos
Accepted Solution

Pulse Connection Issue

[ Edited ]

Strange problem most likely with an obvious answer.  We have a SA rule set up for access via Pulse.  When you go to the web page and click on start next to the Junos Pulse client application section, pulse launches and connects successfully.  But if you completely disconnect and then try connecting by clicking COnnect on the connection in Pulse, it fails every time with "Connection Error - Authentication rejected by server (Error:1308)."

 

Any ideas of where to start?  If we switch the same policy over to using Network Connect, it works just fine.

Super Contributor
Posts: 203
Registered: ‎04-14-2008
0 Kudos

Re: Pulse Connection Issue

Possibly you do not have all parts of pulse installed, only the minumum ones. You are probibly missing Host Checker which when you go in through the web will be performed before pulse is launched.

Try re-installing pulse on the machine from the .exe on the installers page.

 

Sam.

Contributor
Posts: 216
Registered: ‎08-02-2011
0 Kudos

Re: Pulse Connection Issue

So we uninstalled pulse and reinstalled using the full install, but are still having the same issue.  Any other ideas?

Moderator Moderator
Moderator
Posts: 75
Registered: ‎07-07-2011
0 Kudos

Re: Pulse Connection Issue

Do you find anything in the SA User Access Logs for this failed connection attempt?

Contributor
Posts: 216
Registered: ‎08-02-2011
0 Kudos

Re: Pulse Connection Issue

[ Edited ]

I found some entries in the log and they are point us to the KB article:

http://forums.juniper.net/t5/SSL-VPN/Pulse-Connection-Issue/m-p/108916/highlight/false

 

Looks like host checker and pulse is the cause.

 

 

Trusted Contributor
Posts: 123
Registered: ‎11-27-2010
0 Kudos

Re: Pulse Connection Issue

[ Edited ]

Hi Jspanitz,

 

the solution for you is probably to limit the Supported Antivirus Solutions in the HostChecker Rule. 

 

Have a Try and enable only 1-5 different Antivirus Vendors for Check.

If you then can connect without any problems try to evaluate which Antivirus Vendors do get used most by your Workforce/Customers/Partners. So you can enable Check only on those few really needed Antivirus Systems, and your problem should be solved.

 

regards

NULL 

Moderator
Posts: 2,347
Registered: ‎11-19-2007
0 Kudos

Re: Pulse Connection Issue

what type of authentication are you using?

what version of pulse? SA?

Contributor
Posts: 216
Registered: ‎08-02-2011
0 Kudos

Re: Pulse Connection Issue

As per the KB article, limiting the number of AV vendors solved the problem.

 

As for the authentication type, we are using LDAP.  The version of Pulse is 2.03.11013 and the MAG was 7.1R3 but is now 7.1R4.

Contributor
Posts: 55
Registered: ‎01-12-2010
0 Kudos

Re: Pulse Connection Issue


NULL wrote:

Hi Jspanitz,

 

the solution for you is probably to limit the Supported Antivirus Solutions in the HostChecker Rule. 

 

Have a Try and enable only 1-5 different Antivirus Vendors for Check.

If you then can connect without any problems try to evaluate which Antivirus Vendors do get used most by your Workforce/Customers/Partners. So you can enable Check only on those few really needed Antivirus Systems, and your problem should be solved.

 

regards

NULL 




Not sure why the KB article number doesn't show up above, but I'm assuming the reference was to  KB21443?

 

Anyhow, do you know if it is necessary to have AV AND firewall selected, or will the issue appear when all AV are selected, but no firewalls?

 

If it affects AV checks even without the firewalls, that's yet another major problem for us...

Contributor
Posts: 216
Registered: ‎08-02-2011

Re: Pulse Connection Issue

Yes, the KB was KB21443.

 

We have each host checker rule separated out, so for us it was just the AV rule.  The firewall rule is separate as are a few others used to determine if the endpoint is a managed or unmanaged system.

 

As for the AV only check, we had ALL selected and that worked fine for Network Connect.   We removed about 1/3 of them to get Pulse working.  The approach we took, which was more time consuming for us but seems like a more secure solution, was to only allow the latest version and one version back of the AV solutions.

 

John

Trusted Contributor
Posts: 123
Registered: ‎11-27-2010
0 Kudos

Re: Pulse Connection Issue

[ Edited ]

Didn't know that this KB does exist, have had the problem since Jannuary this year but JTAC..... (2 to 4 Ticket's don't remember....).

 

KB Added on 02 September LOOOL nothing more to mention...

If those indian jtac engineers would digg better into problems and eventually also use their Lab Hardware to reproduce such bugs this issue would have been fixed long time ago....

 

@Juniper: And yes the whole HostChecker Configuration has been "Screened" directly by an JTAC .....

 

Regards,

NULL

Moderator
Posts: 14
Registered: ‎10-09-2008
0 Kudos

Re: Pulse Connection Issue

Is this a Cluster configuration ? 

 

If it is a cluster , Go to System -> configuration -> certificate -> device certificate , Map the Internal port along with VIP port on both nodes.

 

Please verify if this resolves the issue.

 

Contributor
Posts: 216
Registered: ‎08-02-2011
0 Kudos

Re: Pulse Connection Issue

In our case this is indeed an a/p cluster.  Which cert should we use when aplying the mapping?  The built in cert or the certificate authority issued cert that we use on the external vips?

Moderator
Posts: 2,347
Registered: ‎11-19-2007
0 Kudos

Re: Pulse Connection Issue

The externally trusted cert

Highlighted
Moderator
Posts: 14
Registered: ‎10-09-2008
0 Kudos

Re: Pulse Connection Issue

The SA device certificate ( certificate authority issued cert )

New User
Posts: 1
Registered: ‎01-24-2014
0 Kudos

Re: Pulse Connection Issue

[ Edited ]

I'm having the same problem and we are not using host checker.  

 

No host checker policies are defined and all my roles have "Allow all users (host checker not required)" enabled.