Application Acceleration
Highlighted
Application Acceleration

Integration between WXC and SA

‎01-17-2011 12:13 AM

Hi

is there a way to integrate SA SSL VPN 2500 series with WXC 2600 or 3400 series? If yes how? What is the requirements? and on which basis?

Thanx

14 REPLIES 14
Highlighted
Application Acceleration

Re: Integration between WXC and SA

‎01-18-2011 03:32 AM

Hi

 

The integration is really on the client side using Junos Pulse. The Junse Pulse client for Windows supports both Secure L3 VPN access and application acceleration. The termination of the L3 VPN is done in the SA and the application acceleration is terminated in the WXC device running JWOS software.

 

Junos Pulse is supported from IVE 7.0 release on the SA series and JWOS 6.1 release for the WXC 2600/3400. Besides the hardware you will need concurrent user license for BOTH the SA and the WXC.

 

Even though Junos Pulse is the preferred unified client in a SA/WXC combination scenario, you could also use Junos Pulse only for application acceleration and legacy Network Connect client for L3 VPN connectivity.

 

Hope it helps.

Regards,
Johan
Highlighted
Application Acceleration

Re: Integration between WXC and SA

‎02-02-2011 02:49 AM

hi Johan

 

Do you know if there is any issues using an evaluation license? According to the docs it should work as normal for the 30days of evaluation. Have you any idea if cabling might also cause following errors (E.G cross-ver as I have used straight through cable to bothe router and Switch). All traffic is being passed through as non-IP or non-TCP but I am copying CIFS traffic across that test network.

 

The error below makes me think there could be another problem here.

 

Netd: 2011-02-02 11:25:36,703 [0xb1392b90] ERROR ifmgrd.ifmgr - wxioctl failed for SIOCGIFADDR

Netd: 2011-02-02 11:25:36,704 [0xb1392b90] ERROR bsdnet - removeSWPassthruFile: Unable to remove sw_passthru file

Netd: 2011-02-02 10:27:36,695 [0xb1355b90] INFO  ifmgrd.ifmgr - LinuxMRTS: Failed to Execute ip rule delete from 1.0.0.0 table mrtsbr00 2>&1
Netd: 2011-02-02 10:27:36,709 [0xb1355b90] INFO mgmt.agent - Adding: Interface: br-0/0, Destination : 0.0.0.0/0, Next-hop is 172.16.0.1
Netd: 2011-02-02 10:27:36,723 [0xb1355b90] INFO ifmgrd.ifmgr - LinuxMRTS: Failed to Execute ip route del default via 172.16.0.1 table mrtsbr00 2>&1
Netd: 2011-02-02 10:27:36,723 [0xb1355b90] INFO ifmgrd.ifmgr - Can not delete the default route in linux stack for bridge br-0/0: Error: RTNETLINK answers: No such process
Netd: 2011-02-02 10:27:36,737 [0xb1355b90] INFO ifmgrd.ifmgr - LinuxMRTS: Failed to Execute ip route del default table mrtsbr00 2>&1
Netd: 2011-02-02 10:27:36,751 [0xb1355b90] INFO ifmgrd.ifmgr - LinuxMRTS: Failed to Execute ip rule delete to 0.0.0.0/0 table mrtsbr00 priority 32765 2>&1
Netd: 2011-02-02 10:27:36,765 [0xb1355b90] INFO mgmt.agent - Adding: Interface: br-0/0, Destination : 0.0.0.0/0, Next-hop is 172.16.0.1
Netd: 2011-02-02 10:27:36,787 [0xb1355b90] INFO mgmt.agent - ADDED Mode : off LinkCap : on, AggregateSpeed = 1000000 Exclusion Filter Mode : off
Netd: 2011-02-02 10:27:36,787 [0xb1355b90] INFO mgmt.agent - QOS IS DISABLED !!!
Highlighted
Application Acceleration

Re: Integration between WXC and SA

‎02-02-2011 09:44 AM

Hi

 

No, should not be an issue with the evaluation license. I frequently use the 30 day evaluation license without issues.

 

Do you have a diagram of your setup?

 

If you deploy in-line you would need to connect the WXC so that the remote users comes in via the Remote port and the servers/targets are on the Local port. Also remember that the WXC would need correct routing information to reach both the client and the servers/targets.

 

You can check how the device is connected by checking the ARP table in the Setup -> Network -> ARP menu.

 

You add routing information in the Setup -> Basic -> Bridge Interfaces -> br-0/0 menu. Click on the Local Route link/tab.

 

 

 

 

Regards,
Johan
Highlighted
Application Acceleration

Re: Integration between WXC and SA

[ Edited ]
‎02-06-2011 11:03 PM

Thank for your response

So I have attached my diagram below. This is a lab setup and I am connecting from the 192.168.2.0 network, so no WAN connections. I don't suppose that should stop any adjacencies bieng setup. So I can connect the server LAN and RDP there and copy files too via CIFS or samba shares. so I suppose routing is working fine there. I have a default route to the WAN facing interface on the SSG20 FW. So LAN on WXC goes to switch and Remote is connected to the SSG20 using srtaight through cables. As far as I can see this setup should just work. Now resetting to factory defualts for the 4th time.

 

Also does the management have to be in the same network as the data/traffic port?

 

regards,

Perish

Attachments

Highlighted
Application Acceleration

Re: Integration between WXC and SA

‎02-06-2011 11:15 PM

Hi

 

Are you doing any NAT in either the CP or SSG FW or is it pure L3 routing?

 

 

Regards,
Johan
Highlighted
Application Acceleration

Re: Integration between WXC and SA

‎02-06-2011 11:21 PM

I am doing pure L3 routing across all devices

Highlighted
Application Acceleration

Re: Integration between WXC and SA

‎02-06-2011 11:52 PM

I have reset all configuration and taken out of equation the SA device. So I do a new pulse install from https://IP/client and it succeeds. and says ready on the WAN accelaration but no connections setup/shown. One interesting this the LCD has an NETADDR CONF:ERROR even after configuring and plugging in all interface cables.

This is what's in the log after this:

Mgmtd: 2011-02-07 07:31:26,193 [0xb478bb90] INFO  mgmt.mgr - ************ SAVE TO FILE ******************
Netd: 2011-02-07 07:31:26,230 [0xb1300b90] INFO mgmt.agent - Name: br-0/0, IP :172.16.0.2, Mask : 255.255.255.0
Netd: 2011-02-07 07:31:26,231 [0xb1300b90] INFO mgmt.agent - Adding: Interface: br-0/0, Destination : 0.0.0.0/0, Next-hop is 172.16.0.1
net-snmp[1693]: 2011-02-07 07:31:26,241 [0xb5a31b90] INFO event.svr - Event(701):Startup.cfg is saved successfully
Netd: 2011-02-07 07:31:28,169 [0xb1300b90] INFO ifmgrd.ifmgr - LinuxMRTS: Failed to Execute ip route del default table mrtsbr00 2>&1
net-snmp[1693]: 2011-02-07 07:31:28,184 [0xb5a31b90] INFO event.svr - Event(504):Wan Link down
net-snmp[1693]: 2011-02-07 07:31:28,184 [0xb5a31b90] INFO event.svr - Event(502):Lan Link down
SvcP: 2011-02-07 07:31:28,979 [0x96186b90] INFO bsdnet - wxInterfaceChangeNotifier: Interface IP is changed. Sending the notification...
SvcP: 2011-02-07 07:31:28,979 [0x96186b90] INFO bsdnet - wxInterfaceGetAllIPInfo(): Length passed : 44
net-snmp[1693]: 2011-02-07 07:31:30,185 [0xb5a31b90] INFO event.svr - Event(503):Wan Link up
net-snmp[1693]: 2011-02-07 07:31:31,186 [0xb5a31b90] INFO event.svr - Event(501):Lan Link up
net-snmp[1693]: 2011-02-07 07:31:42,689 [0xb5a31b90] INFO event.svr - Event(402):Speed matches between local and remote ineterface
net-snmp[1703]: 2011-02-07 07:32:39,561 [0xb4416b90] ERROR ifmgrd.ifmgr - wxioctl failed for SIOCGIFADDR
net-snmp[1785]: 2011-02-07 07:39:52,987 [0xb41c5b90] ERROR nstats.collector - findRemoteWXRec: ===> No match was found for adjacency = 262029573246448 ==>
net-snmp[1785]: 2011-02-07 07:39:52,987 [0xb41c5b90] ERROR nstats.collector - findRemoteWXRec: ===> No match was found for adjacency = 262029573246448 ==>
SvcP: 2011-02-07 07:40:01,750 [0x91b86b90] ERROR otoconv.sitpnfsm - ltirespwLclInitReqResendTmrExpired:Failed to process timer TNNL_FSM_LOCAL_INIT_REQUEST_TMR for Remote WX: 192.168.2.115
SvcP: 2011-02-07 07:40:01,750 [0x91b86b90] INFO otoconv.sitpnfsm - fireEventToDeleteTC: ! ADJ_DELETE_EVENT_FSM_DONE Event is fired !! and bringing down adjacency for Remote WX 192.168.2.115

 

running

---------------------

JWOS 6.1R2.1

Attachments

Highlighted
Application Acceleration

Re: Integration between WXC and SA

‎02-09-2011 01:43 AM

Hi

 

Hmm....For me the environment looks like it should work, but there must be something fundamentally wrong here.

 

So get to the basics:

 

1) You are running JWOS 6.1R2 on a supported platform (WXC 2600, 3400 or 590)?

 

2) You are running Junos Pulse on a supported OS (Windows XP, Vista or 7)?

 

3) There are NO firewall filters in either direction through the firewalls/L3 device? Remember that the WXC appliance needs to be able to establish outbound sessions towards the client, not just from client to WXC. If possible try to remove the firewalls and just have a regular L3 router on the remote side of the WXC.

 

4) The WXC have the appropriate routing information configured? It knows, in the local routing table, the next hop to directly reach the target servers vs. clients.

 

5) The WXC is connected correctly? The Local port facing the server side and the Remote port facing the client side.

 

If you answer Yes on these five questions and you still can't get this to work you need to open a TAC case to have them look further into logs, etc.

 

 

Regards,
Johan
Highlighted
Application Acceleration

Re: Integration between WXC and SA

‎02-10-2011 09:01 AM

Looks like number 3 was the problem. The upstream firewall did not have the ports 3577-9 open. I did not realise this until I verified this morning.

 

Thanks again

Highlighted
Application Acceleration

Re: Integration between WXC and SA problems

‎03-07-2011 01:21 PM

Hi huys me again

 

I seem to be struggling getting this integration going, as far as I can tell I have setup my devices this way:

A cable goes from Switch - WXC Lan int. then from WXC Wan int. - SA device. SA & WXC devices have IP and gateway on the same network as server network. what I can not get right is the routing between SA and server network. I have managed to setup pulse to connect to SA device and then get to the SA using the internal IP but cannot get to anything else first of all is this config supported at all, if not what am I doing wrong here.

 

The pulse handles the L3 VPN as well and get a different IP range like 10.x10.11.x/24, cannot set gateway there, while I noticed all traceroutes go to a 10.200.200.200 which is set under (network-config on SA) but the documentation does clarify what an IP filter is and does not reconnend I change this IP. All I need is to access the server network.

 

I will attach a digram for some idea. thanks very much, now from afrustrates techy

 

Attachments

Highlighted
Application Acceleration

Re: Integration between WXC and SA problems

‎03-08-2011 12:20 AM

I think I just might have shown you how unreasoning I have become. I think since it's not inline the default router will need a route to the VPN IP range back to the SA device which knows where clients are.

My assumptions had been that the SA device would initiate connection to the servers and in turn the servers would know the route back automatically.

Highlighted
Application Acceleration

Re: Integration between WXC and SA problems

‎03-08-2011 12:56 AM

Hi

 

Yes, if you are using an "internal" IP range in the SA for L3 VPN users your network needs routing back to this network to function properly. Other option is to have the IP range part of the 192.168.11.0/24 network.

 

Good luck

 

 

Regards,
Johan
Highlighted
Application Acceleration

Re: Integration between WXC and SA

‎06-29-2011 08:56 AM

Thanks - that's really useful.

 

I'm guessing that prioritisation of traffic (such as voice) could be pushed out to Pulse clients based on how the WXC is configured?

 

Thanks again,


Andy

Imtech ICT
Highlighted
Application Acceleration

Re: Integration between WXC and SA

‎07-10-2011 05:47 AM

Hi

 

There is no QoS in the Junos Pulse client.

 

 

Regards,
Johan
Feedback