SRX Services Gateway
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
Ivo
Contributor
Ivo
Posts: 14
Registered: ‎03-14-2012
0
Accepted Solution

Pulse Clients Getting Wrong Subnet Mask

Options

‎04-26-2012 12:06 PM

Hi Everyone,

 

I am trying to setup a demo vpn connection to an SRX box. I am able to connect to it through Pulse, but the problem I am having is that my remote client is getting the right ip with the wrong subnet mask... The mask is supposed to be /24 and it actually is /32

 

Here is a paste of some of the SRX config:

 

SRX# show access
profile remote_access_profile {
    client user1{
        firewall-user {
            password "$9$hbfclM7Nb4aU7-UHq.zF9Ap0BE"; ## SECRET-DATA
        }
    }
    client user2{
        firewall-user {
            password "$9$1tsIcl8LNs2a8XaUjif5369ApB"; ## SECRET-DATA
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool;
    }
}
address-assignment {
    pool dyn-vpn-address-pool {
        family inet {
            network 172.29.2.0/24;
            range range1 {
                low 172.29.2.20;
                high 172.29.2.250;
            }
        }
    }
}
firewall-authentication {
    pass-through {
        default-profile remote_access_profile;
    }
    web-authentication {
        default-profile remote_access_profile;
        banner {
            success "Authorized Users Only!";
        }
    }
}

 

Here is a paste of my client IP:

IP Address. . . . . . . . . . . . : 172.29.2.21
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

 

I would appreciate any suggestions.

Message 1 of 13 (776 Views)
 
Reply
Distinguished Expert
Distinguished Expert
MMcD
Posts: 513
Registered: ‎07-20-2010
0

Re: Pulse Clients Getting Wrong Subnet Mask

[ Edited ]
Options

‎04-26-2012 12:20 PM - edited ‎04-26-2012 12:21 PM

Hi there,

 

Firstly what JunOS Version are you running?  Your config looks good,  there are several issues with Dynamic VPN on different code versions.

 

Can you try and config as follows as a test:

address-assignment {
    pool dyn-vpn-address-pool {
        family inet {
            network 172.29.2.0/24;
        }
    }

 I have a similar config to yours working on JunOS 11.1 R4.4

MMcD [JNCIS-SEC, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Message 2 of 13 (774 Views)
 
Reply
Ivo
Contributor
Ivo
Posts: 14
Registered: ‎03-14-2012
0

Re: Pulse Clients Getting Wrong Subnet Mask

[ Edited ]
Options

‎04-26-2012 12:33 PM - edited ‎04-26-2012 12:35 PM

Hello,

 

Thanks for replying.

 

I have the latest version running on the SRX - 12.1R1.9 - I got it updated yesterday.

 

Also, I just added the low and high limit for the dhcp pool, and I was having the same problem before that, too.

Message 3 of 13 (767 Views)
 
Reply
Distinguished Expert
Distinguished Expert
MMcD
Posts: 513
Registered: ‎07-20-2010
0

Re: Pulse Clients Getting Wrong Subnet Mask

Options

‎04-26-2012 12:45 PM

As you config seems good, this could be a bug in the new code.

 

I would downgrade to 11.1 R4.4 which is a stable release and go from there. 

 

This is my Dynamic VPN running on the above version:

 

 address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 192.168.20.0/26;
                xauth-attributes {
                    primary-dns 192.168.1.200/32;
                }
            }
        }

  IPv4 Address. . . . . . . . . . . : 192.168.20.61(Preferred)
 Subnet Mask . . . . . . . . . . . : 255.255.255.192
 Default Gateway . . . . . . . . . :

MMcD [JNCIS-SEC, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Message 4 of 13 (762 Views)
 
Reply
Ivo
Contributor
Ivo
Posts: 14
Registered: ‎03-14-2012
0

Re: Pulse Clients Getting Wrong Subnet Mask

[ Edited ]
Options

‎04-26-2012 01:06 PM - edited ‎04-26-2012 01:20 PM

Sure,

 

I will try that and let you know what happens.

 

I kind of doubt it though - this would be a major failure - you would thing that a new version would only fail in minor areas...

Message 5 of 13 (758 Views)
 
Reply
Trusted Contributor
mwdmeyer
Posts: 110
Registered: ‎03-11-2008
0

Re: Pulse Clients Getting Wrong Subnet Mask

Options

‎04-27-2012 01:03 AM

Juniper fails in many areas.....all the time :smileyhappy:

Message 6 of 13 (741 Views)
 
Reply
Ivo
Contributor
Ivo
Posts: 14
Registered: ‎03-14-2012
0

Re: Pulse Clients Getting Wrong Subnet Mask

Options

‎05-02-2012 08:16 AM

I guess that's what the problem was.

 

I have downgraded to 11.1 and I am getting the right subnet mask...

Message 7 of 13 (722 Views)
 
Reply
Distinguished Expert
Distinguished Expert
MMcD
Posts: 513
Registered: ‎07-20-2010
0

Re: Pulse Clients Getting Wrong Subnet Mask

Options

‎05-02-2012 08:21 AM

Thought as much, the Dynamic VPN stuff is extremely buggy in my experience. 

 

 

MMcD [JNCIS-SEC, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Message 8 of 13 (718 Views)
 
Reply
Ivo
Contributor
Ivo
Posts: 14
Registered: ‎03-14-2012
0

Re: Pulse Clients Getting Wrong Subnet Mask

Options

‎05-03-2012 07:10 AM

In this case, do businesses really buy Juniper stuff for vpn solutions?

I kind of wonder whether it will really be worth working on this project and getting a little deeper into Juniper all together...

Message 9 of 13 (707 Views)
 
Reply
Distinguished Expert
Distinguished Expert
MMcD
Posts: 513
Registered: ‎07-20-2010
0

Re: Pulse Clients Getting Wrong Subnet Mask

Options

‎05-03-2012 07:19 AM

Junos recommended release version is 10.4 R9.2 at the minute so you shouldnt have any issues on that version.  I wouldnt use anything other than a recommended release version for the front end of a business.

 

I have various types of vpn working on 10.4 R7.5, just havnt updated yet, dial in vpns, site to site vpns etc,  all work well.

MMcD [JNCIS-SEC, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Message 10 of 13 (705 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.