05-13-2012 09:00 PM
I have a pair of MAG6611 setup as active/active cluster. The software version is Secure Access 7.2R1.1.
I have configured VPN Tunneling for user for remote access and it works.
But there's problem when I'm using JUNOS Pulse client version 3.0R1.1, after connected to SSL VPN, I'll experience a delay betweem 30sec to 1min before being able to access or ping to a host in remote network.
I have verified the routing table on the client PC, the client PC received the route to remote network after connected to SSL VPN.
I have not experience this problem when using JUNOS Pulse client version 2.1R4. I'm able to access to the host near instant after connected to the SSL VPN.
I have not made any changes to the cluster.
Could anyone share some idea on how to troubleshoot on this issue?
Solved! Go to Solution.
05-13-2012 11:12 PM
Is this happening on any specific operating system as in Windows 7, Windows XP etc?
Is this seen by all the user's or is this a global effect?
When you say - you are trying to access certain resource and it takes 30 seconds - may I know if it's with all individual resource or is it only until you access the first resource behind the SA?
05-13-2012 11:23 PM
Are you able to consistently reproduce the problem?
If "YES" - I would suggest you to open a JTAC ticket for the same side-by-side.
I would also say - please ensure you dont have any other third party VPN Clients on your machine. If you do have any applications along with the Pulse app - please try to uninstall all the other VPN app's and install pulse first to check if that helps.
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks
05-14-2012 12:57 AM
I have been testing it on Windows 7 and MAC OS X Lion 10.7.3. When I used the JUNOS Pulse 3.0 R1.1 client, I'll experience the connection delay issue. It only happened when I tried to access to the first resource behind the SA, accessing to subsequent resource will not have any connection issue.
05-31-2012 09:57 AM
We are having the same issue with 7.2r1.1 and the MAG2600, have tested with multiple machines all running Windows 7 Professional 64-bit. We will open a JTAC case as well.
05-31-2012 11:15 AM
I already resolved this issue.
Open Below ports on the Firewall from Untrust to SSL-VPN Zone...
From SSL-VPN Guide:
For VPN tunneling to communicate, the following ports must be open: UDP port 4242 on loopback address TCP port 443 If using ESP mode, the UDP port configured on the Secure Access Service ( default is UDP 4500).
Pg # 740
From my previous post***************
I just opened a port 4500 UDP on the firewall from Untrust to SSL-VPN.
Actually the problem is with JunosPulse Client v3 fallback from ESP to SSL tunnel.
Previous version v2.1 is switch quicky from ESP to SSL as fallback, but in v3 they have some delay.
its up to you either switch your connection profile from ESP to SSL or keep ESP and open port 4500 UDP.
VPN Tunneling Connection Profiles > "Connection Profile name"
ESP (maximize performance) "Required port 4500 UDP to open on the Firewall"
SSL (maximize compatibility) "work with port 443"
JunosPulse Version 2.1.x did not support ESP actually. It's a new feature of IVE 7.2 and Pulse 3.
Let us know if you have any query.
05-31-2012 11:33 AM
From the Relese Note:
ESP Transport Mode (Junos Pulse Secure Access Service/SSL VPN)
Junos Pulse 3.0 on Microsoft Windows now includes support for SSL VPN ESP transport mode. UDP-based ESP transport mode provides higher throughput than the TCP-based SSL transport mode. Juniper’s dual-transport Junos Pulse client will attempt to establish the VPN tunnel over ESP transport mode by default. If this is unsuccessful, Junos Pulse will automatically attempt to set up the tunnel over SSL. A newly introduced administrative option in Pulse Secure Access Service (SSL VPN) 7.2 allows administrators to prevent the failover from ESP to SSL transport mode. If the administrator option is enabled, Junos Pulse attempts to connect only via the ESP transport mode.