SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Ivo
Contributor
Posts: 14
Registered: ‎03-14-2012
0 Kudos
Accepted Solution

Pulse Clients Getting Wrong Subnet Mask

Hi Everyone,

 

I am trying to setup a demo vpn connection to an SRX box. I am able to connect to it through Pulse, but the problem I am having is that my remote client is getting the right ip with the wrong subnet mask... The mask is supposed to be /24 and it actually is /32

 

Here is a paste of some of the SRX config:

 

SRX# show access
profile remote_access_profile {
    client user1{
        firewall-user {
            password "$9$hbfclM7Nb4aU7-UHq.zF9Ap0BE"; ## SECRET-DATA
        }
    }
    client user2{
        firewall-user {
            password "$9$1tsIcl8LNs2a8XaUjif5369ApB"; ## SECRET-DATA
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool;
    }
}
address-assignment {
    pool dyn-vpn-address-pool {
        family inet {
            network 172.29.2.0/24;
            range range1 {
                low 172.29.2.20;
                high 172.29.2.250;
            }
        }
    }
}
firewall-authentication {
    pass-through {
        default-profile remote_access_profile;
    }
    web-authentication {
        default-profile remote_access_profile;
        banner {
            success "Authorized Users Only!";
        }
    }
}

 

Here is a paste of my client IP:

IP Address. . . . . . . . . . . . : 172.29.2.21
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

 

I would appreciate any suggestions.

Distinguished Expert
Posts: 673
Registered: ‎07-20-2010
0 Kudos

Re: Pulse Clients Getting Wrong Subnet Mask

[ Edited ]

Hi there,

 

Firstly what JunOS Version are you running?  Your config looks good,  there are several issues with Dynamic VPN on different code versions.

 

Can you try and config as follows as a test:

address-assignment {
    pool dyn-vpn-address-pool {
        family inet {
            network 172.29.2.0/24;
        }
    }

 I have a similar config to yours working on JunOS 11.1 R4.4

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Ivo
Contributor
Posts: 14
Registered: ‎03-14-2012
0 Kudos

Re: Pulse Clients Getting Wrong Subnet Mask

[ Edited ]

Hello,

 

Thanks for replying.

 

I have the latest version running on the SRX - 12.1R1.9 - I got it updated yesterday.

 

Also, I just added the low and high limit for the dhcp pool, and I was having the same problem before that, too.

Distinguished Expert
Posts: 673
Registered: ‎07-20-2010
0 Kudos

Re: Pulse Clients Getting Wrong Subnet Mask

As you config seems good, this could be a bug in the new code.

 

I would downgrade to 11.1 R4.4 which is a stable release and go from there. 

 

This is my Dynamic VPN running on the above version:

 

 address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 192.168.20.0/26;
                xauth-attributes {
                    primary-dns 192.168.1.200/32;
                }
            }
        }

  IPv4 Address. . . . . . . . . . . : 192.168.20.61(Preferred)
 Subnet Mask . . . . . . . . . . . : 255.255.255.192
 Default Gateway . . . . . . . . . :

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Ivo
Contributor
Posts: 14
Registered: ‎03-14-2012
0 Kudos

Re: Pulse Clients Getting Wrong Subnet Mask

[ Edited ]

Sure,

 

I will try that and let you know what happens.

 

I kind of doubt it though - this would be a major failure - you would thing that a new version would only fail in minor areas...

Super Contributor
Posts: 206
Registered: ‎03-11-2008
0 Kudos

Re: Pulse Clients Getting Wrong Subnet Mask

Juniper fails in many areas.....all the time Smiley Happy

Ivo
Contributor
Posts: 14
Registered: ‎03-14-2012
0 Kudos

Re: Pulse Clients Getting Wrong Subnet Mask

I guess that's what the problem was.

 

I have downgraded to 11.1 and I am getting the right subnet mask...

Distinguished Expert
Posts: 673
Registered: ‎07-20-2010
0 Kudos

Re: Pulse Clients Getting Wrong Subnet Mask

Thought as much, the Dynamic VPN stuff is extremely buggy in my experience. 

 

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Ivo
Contributor
Posts: 14
Registered: ‎03-14-2012
0 Kudos

Re: Pulse Clients Getting Wrong Subnet Mask

In this case, do businesses really buy Juniper stuff for vpn solutions?

I kind of wonder whether it will really be worth working on this project and getting a little deeper into Juniper all together...

Distinguished Expert
Posts: 673
Registered: ‎07-20-2010
0 Kudos

Re: Pulse Clients Getting Wrong Subnet Mask

Junos recommended release version is 10.4 R9.2 at the minute so you shouldnt have any issues on that version.  I wouldnt use anything other than a recommended release version for the front end of a business.

 

I have various types of vpn working on 10.4 R7.5, just havnt updated yet, dial in vpns, site to site vpns etc,  all work well.

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Ivo
Contributor
Posts: 14
Registered: ‎03-14-2012
0 Kudos

Re: Pulse Clients Getting Wrong Subnet Mask

Thanks for the infoSmiley Happy

Distinguished Expert
Posts: 673
Registered: ‎07-20-2010
0 Kudos

Re: Pulse Clients Getting Wrong Subnet Mask

Have a look here, it is updated with the Recommended Releases once they are available:

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21476

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Visitor
Posts: 4
Registered: ‎07-12-2012
0 Kudos

Re: Pulse Clients Getting Wrong Subnet Mask

Hello MMcD,

 

The recommended version for SRX240 is 11.4R6.6( updated on 31th January 2013) . The same issue is still seen in this version.So even now downgrading to 11.4R4.4 is the only solution or subnet mask of 255.255.255.255 is expected behavior ?

 

Thanks in advance !!

Visitor
Posts: 2
Registered: ‎03-21-2014
0 Kudos

Re: Pulse Clients Getting Wrong Subnet Mask

I am having the exact same problem with dynamic VPN on a SRX220.  I'm using the latest recommended release (11.4R10.3).  Has anyone found another workaround, or is 11.1 R4.4 the last release that actually has functioning VPN?

Visitor
Posts: 2
Registered: ‎03-21-2014
0 Kudos

Re: Pulse Clients Getting Wrong Subnet Mask

I just tried it with 11.4R4.4 and 12.1X44-D30.4

Same result:

 

  IPv4 Address. . . . . . . . . . . : 192.168.0.130
  Subnet Mask . . . . . . . . . . . : 255.255.255.255
  Default Gateway . . . . . . . . . :

 

I can't find where to download 11.1R4.4 to test it.  Does anyone have VPN working on a more recent version?

Regular Visitor
Posts: 5
Registered: ‎04-27-2011
0 Kudos

Re: Pulse Clients Getting Wrong Subnet Mask

I'd a same issue with "JUNOS Software Release [12.1X44-D40.2]"

Contributor
Posts: 286
Registered: ‎04-05-2011
0 Kudos

Re: Pulse Clients Getting Wrong Subnet Mask

Same issue with

root@SRX24-02> show version
Hostname: SRX24-02
Model: srx240h
JUNOS Software Release [12.1X44-D35.5]

New User
Posts: 1
Registered: ‎04-13-2015
0 Kudos

Re: Pulse Clients Getting Wrong Subnet Mask

Were you able to solve this problem?

Contributor
Posts: 43
Registered: ‎04-07-2015
0 Kudos

Re: Pulse Clients Getting Wrong Subnet Mask

So the only way to fix the problem with wrong subnet is to downgrade my srx to junos 11.1 R4.4 ? That sounds not right... This version is like 4-5 years old, It should work correctly on Junos 12.1X44-D* as this version is recommended (and I believe stable) by Juniper.

Distinguished Expert
Posts: 825
Registered: ‎10-18-2009
0 Kudos

Re: Pulse Clients Getting Wrong Subnet Mask

I suggest opening a J-Tac case to have a PR opened if it is a PR case

Marc

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too