10-08-2009 06:32 AM
All I can say is this happens to us as well. Not just with this upgrade, with all upgrades. The upgrade process is broken. It always has been. Host Checker should be part of the NetConnect client, not a seperate application.
People will tell you to make sure the Installer Service is rolled out but it will not help much.
10-08-2009 06:40 AM
I've been using this SA4000 cluster for 3 years now... back as far as 5.2 releases I think, and I never had an issue like this with an upgrade. It wasn't until this last upgrade that I had to make the Host Checker / Juniper Installer Service installers available to my users publically... every other upgrade for years has been smooth, although I will admit it's only been in the past year (15 months) that I've started using Host Checker much. This change was so disruptive I'm now forced to change my upgrade schedule that I've been following for years.
Half of my users require SVW, and another quarter require Host Checker passes to log in... I agree something definitely has to be done about this shoddy automatic upgrade mechanism. I cannot perform another upgrade of the IVE if this is going to happen again; we lost too many production hours to it.
10-08-2009 06:56 AM
Again, certificates really solved a lot of problem for me.
Reallife cert with no chaining that both browsers and java has a CA cert for
10-08-2009 07:54 AM
10-08-2009 02:43 PM
I have experienced the same issues. I require role level hostchecker policies for all users. I recently tried to upgrade from 6.1R4 to 6.4R2 and experienced random users who could not log in.
The user would enter their username/password and hit submit. There would be a short paused followed by a "login denied". In the user log files on the server, it says "no roles". The users have role assignments, it's just the failure of the hostchecker policy. The "chain" from Realm -> Roles is preserved. The issue can affect some people in a role while others are fine. All my users are administrators on their machines. They are all running Windows XP SP2 will all patches. They are all running IE 7 with the VPN domain added as a trusted site. I can find no rhyme or reason to the failures.
The only solution that I have found, which has worked every single time so far, is to clear the cookies. Specifically the ones named "dana-an/" and "url_default/". If you delete those, you can login, upgrade your Host Checker and be on your way. I really hope this gets fixed. I had to rollback my upgrade from last night after my NOC got flooded with calls.
The other workarounds are rediculous. I'm not going to have my helpdesk field hundreds of calls and have to find a way to manually uninstall and reinstall hostcheckers. What a huge waste of resources. I might as well as go back to an IPSEC VPN with a thick client.
10-09-2009 06:05 AM - edited 10-09-2009 06:09 AM
I was able to provide the Host Checker installer to users by creating a new realm, linking to it on the normal sign in page, and giving everyone access to a Share that had the installers. Still a huge pain in the butt but it worked... our Support Center was flooded too.
You say you were able to fix it by clearing cookies? I know we tried that first... standard troubleshooting for any VPN user is to clear out their IE cache. Were you actually clearing everything out of IE7 (Internet Options ->Delete all under browsing history) or just those 2 specific cookies you mentioned?
Glad to hear I wasn't the only one though... this really caught me off guard.
10-09-2009 07:09 AM
I tried both methods for clearing the cookies. At first, I cleared everything from IE 7 and that worked. Then I tried just the two cookies and that worked as well.
10-09-2009 11:02 AM
I ran into one strange issue with Hostchecker not completing installation of the components. It would just hang at the hostchecker component message. It is a Winxp 64bit system.
I uninstalled and reinstalled all Juniper software on the system with no luck. It turns out the problem was with the Juniper ActiveX add-on was disabled. I enabled the component in IE7 and it started working.
I thought it was strange that even an uninstall and reinstall did not correct this.
Oh Well. At least she is now up and running again.
10-15-2009 06:32 AM
Just wanted to let everyone know-- I got confirmation from a JTAC engineer that this is a known bug in 6.4R3 (and it appears 6.5R1) and is supposedly to be fixed in 6.4R4 and 6.5R2. 6.4R4 should be out end of October.
Good to finally have a root cause, even if it is a bug.
12-03-2009 01:15 AM
6.4R4 has been out for some time now, so does anyone know if the host checker problems mentioned in this thread are fixed? I have some users having host checker issues and logs only show "no roles" with a mention of host checker failing for some unknown reason. Software version is 6.4R2.
12-03-2009 09:00 AM
I recently upgraded from a very stable 6.1R7 to 6.4R4 , just to handle 2008 Active Directory and I've had many of these same issues with my users. Users login and get denied access with the 'NoRoles" error. Seems like the process to upgrade the Hostchecker isn't working. I have a special HostChecker realm setup just to test hostchecker. I found that if it fails and the user clicks on 'Try Again" 2 or 3 times it will force the Hostchecker to get installed. It is definitely a pia...
02-08-2010 07:12 PM
Everything I've been reading here about this problem sounds very much like what our users have also been experiencing - users aren't able to log in and a NoRoles error finds it way into the logs, no rhyme or reason as to why.
Is there more info concerning a fix? Thanks for your help!
02-08-2010 09:13 PM - edited 02-08-2010 09:14 PM