SSL VPN
Reply
Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008
0

NC Filters and the dreaded 23791

I'm configuring filters to be applied to a NC role, and am running into a problem that maybe one of you has solved.

 

I'm transitioning from Nortel to Juniper, and have a number of users for whom our Radius server returns a "Filter-Id" attribute.  What I do in my role-mapping is to assign anyone with a non-null Filter-Id to a specific role, and I then apply a NC access control policy to that role.  The access control policy uses detailed rules, and applies sets of rules based on what the value of the Filter-Id attribute is. 

 

It appears clear that the correct rules are applied to the session.  I see in the user log a message that the ACL count for the session is 61 rules, which is the correct number.  I also see another message immediately which says that the ACL count for the session is 0 rules, and this concerns me.  NC fails to connect with the dreaded 23791 code, and the policy trace ends after the message which says what the allowable address ranges for the session are.

 

Anyone run into this?  Any advice?  Thanks -

 

Ken

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.