SRX Services Gateway
Reply
Ivo
Contributor
Ivo
Posts: 14
Registered: ‎03-14-2012
0
Accepted Solution

Pulse Clients Getting Wrong Subnet Mask

Hi Everyone,

 

I am trying to setup a demo vpn connection to an SRX box. I am able to connect to it through Pulse, but the problem I am having is that my remote client is getting the right ip with the wrong subnet mask... The mask is supposed to be /24 and it actually is /32

 

Here is a paste of some of the SRX config:

 

SRX# show access
profile remote_access_profile {
    client user1{
        firewall-user {
            password "$9$hbfclM7Nb4aU7-UHq.zF9Ap0BE"; ## SECRET-DATA
        }
    }
    client user2{
        firewall-user {
            password "$9$1tsIcl8LNs2a8XaUjif5369ApB"; ## SECRET-DATA
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool;
    }
}
address-assignment {
    pool dyn-vpn-address-pool {
        family inet {
            network 172.29.2.0/24;
            range range1 {
                low 172.29.2.20;
                high 172.29.2.250;
            }
        }
    }
}
firewall-authentication {
    pass-through {
        default-profile remote_access_profile;
    }
    web-authentication {
        default-profile remote_access_profile;
        banner {
            success "Authorized Users Only!";
        }
    }
}

 

Here is a paste of my client IP:

IP Address. . . . . . . . . . . . : 172.29.2.21
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

 

I would appreciate any suggestions.

Distinguished Expert
MMcD
Posts: 628
Registered: ‎07-20-2010
0

Re: Pulse Clients Getting Wrong Subnet Mask

[ Edited ]

Hi there,

 

Firstly what JunOS Version are you running?  Your config looks good,  there are several issues with Dynamic VPN on different code versions.

 

Can you try and config as follows as a test:

address-assignment {
    pool dyn-vpn-address-pool {
        family inet {
            network 172.29.2.0/24;
        }
    }

 I have a similar config to yours working on JunOS 11.1 R4.4

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Ivo
Contributor
Ivo
Posts: 14
Registered: ‎03-14-2012
0

Re: Pulse Clients Getting Wrong Subnet Mask

[ Edited ]

Hello,

 

Thanks for replying.

 

I have the latest version running on the SRX - 12.1R1.9 - I got it updated yesterday.

 

Also, I just added the low and high limit for the dhcp pool, and I was having the same problem before that, too.

Distinguished Expert
MMcD
Posts: 628
Registered: ‎07-20-2010
0

Re: Pulse Clients Getting Wrong Subnet Mask

As you config seems good, this could be a bug in the new code.

 

I would downgrade to 11.1 R4.4 which is a stable release and go from there. 

 

This is my Dynamic VPN running on the above version:

 

 address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 192.168.20.0/26;
                xauth-attributes {
                    primary-dns 192.168.1.200/32;
                }
            }
        }

  IPv4 Address. . . . . . . . . . . : 192.168.20.61(Preferred)
 Subnet Mask . . . . . . . . . . . : 255.255.255.192
 Default Gateway . . . . . . . . . :

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Ivo
Contributor
Ivo
Posts: 14
Registered: ‎03-14-2012
0

Re: Pulse Clients Getting Wrong Subnet Mask

[ Edited ]

Sure,

 

I will try that and let you know what happens.

 

I kind of doubt it though - this would be a major failure - you would thing that a new version would only fail in minor areas...

Super Contributor
mwdmeyer
Posts: 200
Registered: ‎03-11-2008
0

Re: Pulse Clients Getting Wrong Subnet Mask

Juniper fails in many areas.....all the time :smileyhappy:

Ivo
Contributor
Ivo
Posts: 14
Registered: ‎03-14-2012
0

Re: Pulse Clients Getting Wrong Subnet Mask

I guess that's what the problem was.

 

I have downgraded to 11.1 and I am getting the right subnet mask...

Distinguished Expert
MMcD
Posts: 628
Registered: ‎07-20-2010
0

Re: Pulse Clients Getting Wrong Subnet Mask

Thought as much, the Dynamic VPN stuff is extremely buggy in my experience. 

 

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Ivo
Contributor
Ivo
Posts: 14
Registered: ‎03-14-2012
0

Re: Pulse Clients Getting Wrong Subnet Mask

In this case, do businesses really buy Juniper stuff for vpn solutions?

I kind of wonder whether it will really be worth working on this project and getting a little deeper into Juniper all together...

Distinguished Expert
MMcD
Posts: 628
Registered: ‎07-20-2010
0

Re: Pulse Clients Getting Wrong Subnet Mask

Junos recommended release version is 10.4 R9.2 at the minute so you shouldnt have any issues on that version.  I wouldnt use anything other than a recommended release version for the front end of a business.

 

I have various types of vpn working on 10.4 R7.5, just havnt updated yet, dial in vpns, site to site vpns etc,  all work well.

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.