Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Intermittent VPN Issues for some users.

    Posted 09-30-2008 14:27

    Hi, we have had a VPN running for about 1yr with no real issues.

     

    However as the company has expanded so the VPN is getting used more which has brought some issues to our attention.

     

    Setup:

    SSG-20 5.4R6.0 

    xAuth

    Safenet Virtual Adaptor

    ADSL Interface with Staic IP range.

     

    Our VPN works for 70% of the users with no problems, where as other users are unable to access anything on the internal network.

     

    These users are able to complete the login process and the logs on the firewall show the users as being active and will give them an IP address from the pool, but they are unable to ping anything on the internal network.

     

    We can see requests being sent to the firewall, and then the response going back to the client. We have checked that the users are not using the same IP address range on their local networks.

     

    Can anyone suggest where i may be going wrong?

     

    Regards,



  • 2.  RE: Intermittent VPN Issues for some users.

    Posted 09-30-2008 21:26
    Hi James to facilitate the discussion, may you post the total number of users in this set-up? It may have something to do with the number of concurrent sessions for the VPN. For SSG-20 if im not mistakes is around 25 or 40 depending on the license.


  • 3.  RE: Intermittent VPN Issues for some users.

    Posted 10-01-2008 02:20

    we currently have around 20 users who are able to connect to the VPN, however when we were testing the broken accounts there were only 4-6 people connected concurrently



  • 4.  RE: Intermittent VPN Issues for some users.

    Posted 10-01-2008 03:13

    We have been looking at the users laptops now that they are in the office. We have been using a 3G datacard to test the VPN connection, this now works using the same configuration.

     

    It would appear this is an issue with their home networks. Are there known issues with certain type of home routers? The user in question is using a Belkin router.

     

    Thanks



  • 5.  RE: Intermittent VPN Issues for some users.
    Best Answer

    Posted 10-01-2008 22:36

    Do you have nat-traversal enabled on the SSG? If so then I would highly recommend that you do. The issue could be that the ESP packets (IP protocol 50) may be blocked either on ISP network or the home router. Nat-traversal would encapsulate the ESP packet in a UDP 4500 packet which would likely not be blocked. Another option is to check the home-office router to see if they have any sort of IPSec pass-through feature.

     

    -Richard



  • 6.  RE: Intermittent VPN Issues for some users.

    Posted 10-02-2008 16:16
    rkim's recommendation is something to review.  Also, there's something that was brought to our attention here at work where Belkin routers are not following RFC for DHCP.  Every 30 seconds they are requesting a dhcp lease renew and it causes all kinds of problems.  The best place for the Belkin's is next to that old door you have that won't stay open by itself.


  • 7.  RE: Intermittent VPN Issues for some users.

    Posted 10-05-2008 12:21

    Richard,

     

    We have now enabled NAT-Transversal and this seems to have fixed our issue.

     

    Two of our staff members that could not log in have informed us that this is now working. Before neither of these users would not even get the logon option.

     

    Thanks very much for your help.