SRX Services Gateway
Reply
Contributor
Deimark
Posts: 41
Registered: ‎08-05-2009
0

SRX and Dynamic VPN on 10.4

Hi all

 

I have been waiting for Junos 10.4 to get my dynamic VPN functionality on our branch SRX, as we see quite a customers looking to implement this feature.  And with the requirement for an external radius server removed in 10.4 this seems the way ahead.

 

However, there seems to be a few issues with this.

 

Basically, each SRX "should" have a default 2 user license for dynamic VPN.  It doesn't show up under installed licenses cos its "default", however, as soon as you log in as dyn user (using either pulse or access manager) you get thrown up a system alarm

 

 

 show system alarms
1 alarms currently active
Alarm time               Class  Description
2011-03-15 10:51:30 UTC  Minor  1 Dynamic VPN requires a license

 show system license     
License usage:
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed
  dynamic-vpn                           1            0           1    invalid
  ax411-wlan-ap                         1            2           0    permanent

 

 

As you can see, this is not meant to happen methinks.

 

I have raised a case with JTAC and to be honest, after a month and a half of either poor replies or none at all, I am trying here for some assistance.

 

I started using 10.4R1 which after some config issues, seemed to work fine for pulse and access manager.  There were some issues with the IKE and IPSEC SA's being cleared down after the user logged out but we could work around this.  The system alarl was just a warning and although it set the alarm light on the device, it all seemed to work.

 

The logs showed:

 

Mar 15 09:45:29  test alarmd[1188]: Alarm cleared: License color=YELLOW, class=CHASSIS, reason=1 Dynamic VPN requires a license
Mar 15 09:45:29  test craftd[1189]: Minor alarm cleared, 1 Dynamic VPN requires a license
Mar 15 09:45:29  test alarmd[1188]: Alarm set: License color=YELLOW, class=CHASSIS, reason=1 Dynamic VPN requires a license
Mar 15 09:45:29  test craftd[1189]:  Minor alarm set, 1 Dynamic VPN requires a license
Mar 15 09:45:29  test chassisd[1187]: CHASSISD_IPC_UNEXPECTED_RECV: Received unexpected message from craftd: type = 4, subtype = 43
Mar 15 09:45:29  test alarmd[1188]: LICENSE_EXPIRED: License for feature dynamic-vpn(55) expired

 

 

This says to me there is a bug in the software where the default licenses are not being read or applied correctly.  As its only a warning alarm I persevered and stuck with it.

 

The 10.4R2.7 came out and I thought "hey" this may fix the issue.

 

Now with 10.4R2.7 installed, I still get the system alarm warning of an "expired" default license my users can still log in (eventually) but they cannot connect to any resources behind the SRX?

 

Has anyone else had any similar issues to me here?

Has anyone got this working using any version of 10.4?

Has anyone else seen the "license expired"?

Has anyone else had any issues logging in using either pulse or access manager resulting in many prompts for username and password entry?

 

 

I know its little consolation but if anyone here can show that they have had some similar issues I can take some solace from the fact I am not alone.

 

I will persevere with JTAC to get to the bottom of this but I strongly suspect that here may be my best hope for a fix.

 

Hope someone can help.

--
DM

JNCIP-SEC, JNCIP-ENT, JNCIS-SEC, JNCIS-ENT, JNCIS-FWV, JNCIS-SSL,JNCIA-AC, JNCIA-IDP

-----------
The art of diplomacy is saying "nice doggy" til you can find a rock.
Contributor
Deimark
Posts: 41
Registered: ‎08-05-2009
0

Re: SRX and Dynamic VPN on 10.4

Oops, forgot to add that when I install a 5 user eval license for dynamic VPN, the system alarm goes away but the ongoing technical issues remain.

--
DM

JNCIP-SEC, JNCIP-ENT, JNCIS-SEC, JNCIS-ENT, JNCIS-FWV, JNCIS-SSL,JNCIA-AC, JNCIA-IDP

-----------
The art of diplomacy is saying "nice doggy" til you can find a rock.
Contributor
junostim
Posts: 25
Registered: ‎02-03-2011
0

Re: SRX and Dynamic VPN on 10.4

Hi Deimark,

 

As far as I know everyone has the same issues as you.  It seems Dynamic VPN is just not ready for production use.

 

I have the same issues as you list.

  • SA not clearing when users log out
  • Users being re-prompted for PWs
  • Alarms on licensing with the default 2 user license

For those reasons and the lack of good dual wan failover without a JUNOS Script, I have an SRX sitting on my test bench rather then in production.

New User
Brenten
Posts: 2
Registered: ‎08-13-2011
0

Re: SRX and Dynamic VPN on 10.4

Delmark,

 

I have the same issue. i have a multiple different platforms of the SRX including a Dell J-SRX100. When i first opened the device i was able to see the dynamic-vpn (2 user) license and immediately ran into the same issue where the user connects and is able to access internal resources. Once the user disconnects and reconnects, they are not able to access anything past the gateway. 

 

I have spent several weeks on the phone and email with Dell support (as they do not offer support through Juniper as an option when purchasing the system) and to no avail have i been able to resolve the issue.

 

Just to be sure this wasnt a Dell J-SRX issue, i tested this same issue on a Juniper SRX-220 but recieved the same alarms and connection issues.

 

I have found that rebooting the device allows for the connections to pass through the gateway and into the internal resources. The same issue persists, as soon as i disconnect and try to reconnect i am not able to go past the gateway. 

 

i have 11.1R1.10 on the devices, so i am not able to see the license anymore when i show system licenses. I have been assured by both Dell & Juniper techs that the license exists. However, no one can explain why it does not display. 

 

As best as i can recall, when i upgraded to 11.1R1.10 i was able to lg out and back in multiple times as long as i didnt exceed the 2 user license. Then one day ::smileytongue:OW:: i just couldnt connect.

 

--You are NOT alone with the frustrating issue!

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.