SSL VPN
Reply
Contributor
after1
Posts: 69
Registered: ‎06-04-2010
0

NC Transport mode: ESP & SSL

Ive configured "Connection Settings" under Resource Policies to use transport mode as ESP. How come some users are still using SSL ? Any ideas?

Moderator
zanyterp
Posts: 2,276
Registered: ‎11-19-2007
0

Re: NC Transport mode: ESP & SSL

They are not able to keep the connection up on UDP 4500. This is typically due to firewall policies between the user & the SA appliance
Contributor
after1
Posts: 69
Registered: ‎06-04-2010
0

Re: NC Transport mode: ESP & SSL

How can it be. Ive open port 4500 UDP on the firewall, plus some sessions using ESP while others using SSL mode.

Moderator Moderator
Moderator
AJA
Posts: 130
Registered: ‎05-07-2010
0

Re: NC Transport mode: ESP & SSL

The NC client is capable of dual protocol - ESP and SSL.

IF NC client is unable to connect over ESP, then it falls back to SSL.

In this case, if you have other users on ESP session - this means, the IVE is serving the ESP request to the clients.

We need to focus on those network / client component of those few users who are seeing this problem.

 

If you have open UDP 4500 on your firewall - I believe there could be a personal firewall installed on these client machines which could be contributing for this problem. Please try and disable any third party VPN clients, Personal firewalls from the computers and also for a test - you could disable the AV once and test NC if you are ok with it and then enable it back whenever required.

 

 

Hope the above helps.

Moderator
zanyterp
Posts: 2,276
Registered: ‎11-19-2007
0

Re: NC Transport mode: ESP & SSL

Sorry for misreading the initial; it looked like all users were unable to make the ESP connection.

With it being only some, there are still firewalls at the user side (both phsyical and software) that could cause problems; other VPNs, as mentioned by AJA, could cause problems; sometimes AV software can prevent the connection.

 

For the users connecting with SSL, does it happen 100% of the time or only in specific locations?

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.