SRX

Hi Everyone,

I am trying to setup a demo vpn connection to an SRX box. I am able to connect to it through Pulse, but the problem I am having is that my remote client is getting the right ip with the wrong subnet mask... The mask is supposed to be /24 and it actually is /32

Here is a paste of some of the SRX config:

SRX# show access
profile remote_access_profile {
    client user1{
        firewall-user {
            password "$9$hbfclM7Nb4aU7-UHq.zF9Ap0BE"; ## SECRET-DATA
        }
    }
    client user2{
        firewall-user {
            password "$9$1tsIcl8LNs2a8XaUjif5369ApB"; ## SECRET-DATA
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool;
    }
}
address-assignment {
    pool dyn-vpn-address-pool {
        family inet {
            network 172.29.2.0/24;
            range range1 {
                low 172.29.2.20;
                high 172.29.2.250;
            }
        }
    }
}
firewall-authentication {
    pass-through {
        default-profile remote_access_profile;
    }
    web-authentication {
        default-profile remote_access_profile;
        banner {
            success "Authorized Users Only!";
        }
    }
}

Here is a paste of my client IP:

IP Address. . . . . . . . . . . . : 172.29.2.21
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

I would appreciate any suggestions.

Hi there,

Firstly what JunOS Version are you running?  Your config looks good,  there are several issues with Dynamic VPN on different code versions.

Can you try and config as follows as a test:

address-assignment {
    pool dyn-vpn-address-pool {
        family inet {
            network 172.29.2.0/24;
        }
    }

 I have a similar config to yours working on JunOS 11.1 R4.4

Hello,

Thanks for replying.

I have the latest version running on the SRX - 12.1R1.9 - I got it updated yesterday.

Also, I just added the low and high limit for the dhcp pool, and I was having the same problem before that, too.

As you config seems good, this could be a bug in the new code.

I would downgrade to 11.1 R4.4 which is a stable release and go from there. 

This is my Dynamic VPN running on the above version:

 address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 192.168.20.0/26;
                xauth-attributes {
                    primary-dns 192.168.1.200/32;
                }
            }
        }

  IPv4 Address. . . . . . . . . . . : 192.168.20.61(Preferred)
 Subnet Mask . . . . . . . . . . . : 255.255.255.192
 Default Gateway . . . . . . . . . :

Sure,

I will try that and let you know what happens.

I kind of doubt it though - this would be a major failure - you would thing that a new version would only fail in minor areas...

Juniper fails in many areas.....all the time 🙂

I guess that's what the problem was.

I have downgraded to 11.1 and I am getting the right subnet mask...

Thought as much, the Dynamic VPN stuff is extremely buggy in my experience. 

In this case, do businesses really buy Juniper stuff for vpn solutions?

I kind of wonder whether it will really be worth working on this project and getting a little deeper into Juniper all together...

Junos recommended release version is 10.4 R9.2 at the minute so you shouldnt have any issues on that version.  I wouldnt use anything other than a recommended release version for the front end of a business.

I have various types of vpn working on 10.4 R7.5, just havnt updated yet, dial in vpns, site to site vpns etc,  all work well.

Thanks for the info:)

Have a look here, it is updated with the Recommended Releases once they are available:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21476

Hello MMcD,

The recommended version for SRX240 is 11.4R6.6( updated on 31th January 2013) . The same issue is still seen in this version.So even now downgrading to 11.4R4.4 is the only solution or subnet mask of 255.255.255.255 is expected behavior ?

Thanks in advance !!

I am having the exact same problem with dynamic VPN on a SRX220.  I'm using the latest recommended release (11.4R10.3).  Has anyone found another workaround, or is 11.1 R4.4 the last release that actually has functioning VPN?

I just tried it with 11.4R4.4 and 12.1X44-D30.4

Same result:

  IPv4 Address. . . . . . . . . . . : 192.168.0.130
  Subnet Mask . . . . . . . . . . . : 255.255.255.255
  Default Gateway . . . . . . . . . :

I can't find where to download 11.1R4.4 to test it.  Does anyone have VPN working on a more recent version?

I'd a same issue with "JUNOS Software Release [12.1X44-D40.2]"

Same issue with

root@SRX24-02> show version
Hostname: SRX24-02
Model: srx240h
JUNOS Software Release [12.1X44-D35.5]

Were you able to solve this problem?

So the only way to fix the problem with wrong subnet is to downgrade my srx to junos 11.1 R4.4 ? That sounds not right... This version is like 4-5 years old, It should work correctly on Junos 12.1X44-D* as this version is recommended (and I believe stable) by Juniper.

I suggest opening a J-Tac case to have a PR opened if it is a PR case