SSL VPN
Reply
Contributor
sajidalisajid
Posts: 14
Registered: ‎07-08-2010
0
Accepted Solution

Junos Pulse 3.0.1.20017 Reponse Issue from SA 7.2R1.1 (build 20761)

Hi I am facing with JunosPulse v3.0.1.20017 to SA v7.2R1.1 (build 20761). The VPN Tunnel is getting established without any problem, but the response from remote server (ping/telnet/ssh or http) after 1 minutes and 30-55 seconds. Regards, Ali
Visitor
everette.denney
Posts: 3
Registered: ‎07-06-2011
0

Re: Junos Pulse 3.0.1.20017 Reponse Issue from SA 7.2R1.1 (build 20761)

I'm seeing the same issue. How are your boxes configured? We are doing cert auth first, then LDAP.
Contributor
dark1587
Posts: 79
Registered: ‎08-01-2008
0

Re: Junos Pulse 3.0.1.20017 Reponse Issue from SA 7.2R1.1 (build 20761)

I'm tracking this issue as well. By chance, how is the SA deployed? Is it standalone or clustered, one-armed/two-armed configuration, and is the interface behind a firewall?

---
JNCIE-SEC #69, JNCIP-ENT, JNCSP-SEC, JNCIS-SA, JNCIS-AC, JNCIA-IDP, JNCIA-WX
Contributor
sajidalisajid
Posts: 14
Registered: ‎07-08-2010
0

Re: Junos Pulse 3.0.1.20017 Reponse Issue from SA 7.2R1.1 (build 20761)

Hi everette.denney, I have only AD authentication and the best part is that JunosPulse 2.1.4.19851 perfectly work without any delay (same configuration/authentication etc). The problem start with JunosPulse 3.0.1.20017. Regards, Sajid
Contributor
sajidalisajid
Posts: 14
Registered: ‎07-08-2010
0

Re: Junos Pulse 3.0.1.20017 Reponse Issue from SA 7.2R1.1 (build 20761)

Hi Dark1587, I don't have any problem with JunosPulse 2.1, the start with Latest version of JunosPulse 3. SA is HA cluster and running in the DMZ (single arm deployment). Regards, Sajid
Contributor
sajidalisajid
Posts: 14
Registered: ‎07-08-2010
0

Re: Junos Pulse 3.0.1.20017 Reponse Issue from SA 7.2R1.1 (build 20761)

I have open a ticket with JTech, explained with SecureMeeting Session. But the problem with JTech, the tech guys are not able to understand the problem etc. Its almost a month and still they are not able to resolve it. Regards, Sajid
Contributor
sajidalisajid
Posts: 14
Registered: ‎07-08-2010
0

Solution === Re: Junos Pulse 3.0.1.20017 Reponse Issue from SA 7.2R1.1 (build 20761)

[ Edited ]

Solution:smileyhappy:

 

Open Below ports on the Firewall from Untrust to SSL-VPN Zone...

 

From SSL-VPN Guide:

 

For VPN tunneling to communicate, the following ports must be open: UDP port 4242 on loopback address TCP port 443 If using ESP mode, the UDP port configured on the Secure Access Service ( default is UDP 4500).

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21762&actp=search&viewlocale=en_US&searchid...

 

 Admin Guide: http://www.juniper.net/techpubs/software/ive/admin/j-sa-sslvpn-7.2-adminguide.pdf

 

Pg # 740

 

 

 

 

Regards,

 

Sajid

Visitor
everette.denney
Posts: 3
Registered: ‎07-06-2011
0

Re: Solution === Re: Junos Pulse 3.0.1.20017 Reponse Issue from SA 7.2R1.1 (build 20761)

Thanks Sajid. I'm going to try this solution. Did you have make changes on your endpoints? Or on the perimeter firewall? Thanks!

Contributor
sajidalisajid
Posts: 14
Registered: ‎07-08-2010
0

Re: Solution === Re: Junos Pulse 3.0.1.20017 Reponse Issue from SA 7.2R1.1 (build 20761)

Hi Everette,

 

I just opened a port 4500 UDP on the firewall from Untrust to SSL-VPN.

 

Actually the problem is with JunosPulse Client v3 fallback from ESP to SSL tunnel.

 

Previous version v2.1 is switch quicky from ESP to SSL as fallback, but in v3 they have some delay.

 

its up to you either switch your connection profile from ESP to SSL or keep ESP and open port 4500 UDP.

 

 

VPN Tunneling Connection Profiles > "Connection Profile name"

 

Connection Settings

Transport

 

Default is

 

ESP (maximize performance)  "Required port 4500 UDP to open on the Firewall"

 

2nd option

SSL (maximize compatibility)  "work with port 443"

 

 

Let me know if you have any query.

 

Regards,

Sajid


Regular Visitor
EBailleul
Posts: 1
Registered: ‎06-27-2011
0

Re: Solution === Re: Junos Pulse 3.0.1.20017 Reponse Issue from SA 7.2R1.1 (build 20761)

Hi,

 

Version 2.1.x did not support ESP actually. It's a new feature of IVE 7.2 and Pulse 3.

 

b.r.

 

Emmanuel

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.