SRX

last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Cannot get VPN to work without allowing access to J-Web manager

    Posted 04-10-2012 10:34

    I'm new to Juniper and I need to get VPN access to three of our employees. I am current;y using a SRX220h and using Junos Pulse as the VPN client. I kept getting a "Failed to get HTTP response Error 1454" when trying to login and the only way I've gotten it to work is to go to System Properties / Management Access  and enable HTTPs on ge-0/0/0.0 and of course now opens up the ability to access my SRX from the Internet.

     

    Can I allow VPN access without allowing access to the J-Web Manager from the Internet and if so how?

     

    Thanks,

     

    David



  • 2.  RE: Cannot get VPN to work without allowing access to J-Web manager

    Posted 04-10-2012 10:53

    Hi,

     

    What is the Junos version ? Have you configured management-url ?  in newer junos versions, there is separation of J-web and Dynamic VPN Page. If you want to disable j-web, you need to add loopback interface (lo0) under web-management .

     

    For more details, please check KB17234.

     



  • 3.  RE: Cannot get VPN to work without allowing access to J-Web manager

    Posted 04-10-2012 12:05

    I'm using 11.4R1.6 and no management-url has been setup.

     

    It looks like j-web would be disabled if I put in a loopback address, is there a way to just disable j-web on ge-0/0/0.0?

     

    I do apologies I am really new to Juniper.

     

    Thanks,

     

    David



  • 4.  RE: Cannot get VPN to work without allowing access to J-Web manager

    Posted 04-11-2012 02:28

    Hi ,

     

     For example , if the setup is like this

     

    set system services web-management https interface ge-0/0/0.0 (untrust, with ip 100.1.1.1)
    set system services web-management https interface ge-0/0/1.0 (trust, with ip 192.168.1.1)
    set system services web-management https system-generated-certificate

    No management-URL configured and Lo0.0 interfaces not included under web-management interfaces. and ge-0/0/1.0 is your ipsec  vpn external interface

    now:

    https://100.1.1.1  DVPN Page (from external network)
    https://192.168.1.1 J-Web (from internal network)

    In this case as the management-url is not configured, with 100.1.1.1 we will not be able to connect to J-Web.

     

    As mentioned in my previous post,  the following URL explains the behaviour in detail -

     

    http://www.juniper.net/techpubs/en_US/junos10.3/information-products/topic-collections/release-notes/10.3/index.html?topic-47947.html#jd0e7677

     

    If your experience is different  from this one , please post your config details and web-management traceoptions output.



  • 5.  RE: Cannot get VPN to work without allowing access to J-Web manager

    Posted 04-11-2012 23:27

    Dynamic vpn is always enabled in the ike external gateway interface. If there are any interfaces configured under http/https, then jweb will be enabled only on those interfaces.

     

    Case 1: J-Web and dynamic VPN do not share the same interface

     

    set system services web-management https system-generated-certificate
    set system services web-management https interface ge-0/0/5.0(90.90.4.1)
    set security ike gateway CLIENT1 external-interface ge-0/0/4(80.80.80.1)

     

    As per above configuration, Jweb is enabled on ge-0/0/5 and DVPN is enabled on ge-0/0/4

     

    https://90.90.4.1------>Jweb page
    https://80.80.80.1------>Dynamic vpn page

     

    Case 2: J-Web and dynamic VPN do share the same interface.

     

    Without management url configured,
    ===========================
    set system services web-management https system-generated-certificate
    set system services web-management https interface ge-0/0/5(90.90.4.1)
    set system services web-management https interface ge-0/0/4
    set security ike gateway CLIENT1 external-interface ge-0/0/4(80.80.80.1)

     

    https://90.90.4.1-------->Jweb page
    https://80.80.80.1------>Dynamic vpn

     

    With management url configured,
    ===========================
    set system services web-management https system-generated-certificate
    set system services web-management https interface ge-0/0/5(90.90.4.1)
    set system services web-management https interface ge-0/0/4
    set security ike gateway CLIENT1 external-interface ge-0/0/4(80.80.80.1)
    set system services web-management management-url web

     

    https://90.90.4.1------------>Jweb page

    https://80.80.80.1---------->DVPN page

    https://80.80.80.1/web----->JWeb page

     

    Thanks,
    Deebika



  • 6.  RE: Cannot get VPN to work without allowing access to J-Web manager
    Best Answer

    Posted 04-12-2012 06:30

    I think you might be running into this bug:

    https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR712179

    Upgrade to 11.4R2 and I think it will work for you.



  • 7.  RE: Cannot get VPN to work without allowing access to J-Web manager

    Posted 04-24-2012 11:30

    Sorry for the late response, I've been gone. I upgraded to v12.1R1.9 and it now I cannot access j-web from the untrust network, which is what I wanted.

     

    Thanks for all of your responses!

     

    David



  • 8.  RE: Cannot get VPN to work without allowing access to J-Web manager

    Posted 07-08-2013 00:02

    Tried everything on this problem abover from juniper help and this case and also updated the resolved issue OS, still with http i get J-web and with https i get below

     

    Access Error: 401 -- Unauthorized

    Interface is not authorized for HTTP access

     

    Kindly suggest...



  • 9.  RE: Cannot get VPN to work without allowing access to J-Web manager

    Posted 07-08-2013 00:04

    Tried everything on this problem above from juniper help and this opened case also updated the resolved issue OS, still with http i get J-web and with https i get below:

     

    Access Error: 401 -- Unauthorized

    Interface is not authorized for HTTP access

     

    Kindly suggest...