SRX Services Gateway
SRX Services Gateway

Pulse Clients Getting Wrong Subnet Mask

04.26.12   |  
‎04-26-2012 12:06 PM

Hi Everyone,

 

I am trying to setup a demo vpn connection to an SRX box. I am able to connect to it through Pulse, but the problem I am having is that my remote client is getting the right ip with the wrong subnet mask... The mask is supposed to be /24 and it actually is /32

 

Here is a paste of some of the SRX config:

 

SRX# show access
profile remote_access_profile {
    client user1{
        firewall-user {
            password "$9$hbfclM7Nb4aU7-UHq.zF9Ap0BE"; ## SECRET-DATA
        }
    }
    client user2{
        firewall-user {
            password "$9$1tsIcl8LNs2a8XaUjif5369ApB"; ## SECRET-DATA
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool;
    }
}
address-assignment {
    pool dyn-vpn-address-pool {
        family inet {
            network 172.29.2.0/24;
            range range1 {
                low 172.29.2.20;
                high 172.29.2.250;
            }
        }
    }
}
firewall-authentication {
    pass-through {
        default-profile remote_access_profile;
    }
    web-authentication {
        default-profile remote_access_profile;
        banner {
            success "Authorized Users Only!";
        }
    }
}

 

Here is a paste of my client IP:

IP Address. . . . . . . . . . . . : 172.29.2.21
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

 

I would appreciate any suggestions.

19 REPLIES
SRX Services Gateway

Re: Pulse Clients Getting Wrong Subnet Mask

[ Edited ]
04.26.12   |  
‎04-26-2012 12:20 PM

Hi there,

 

Firstly what JunOS Version are you running?  Your config looks good,  there are several issues with Dynamic VPN on different code versions.

 

Can you try and config as follows as a test:

address-assignment {
    pool dyn-vpn-address-pool {
        family inet {
            network 172.29.2.0/24;
        }
    }

 I have a similar config to yours working on JunOS 11.1 R4.4

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
SRX Services Gateway

Re: Pulse Clients Getting Wrong Subnet Mask

[ Edited ]
04.26.12   |  
‎04-26-2012 12:33 PM

Hello,

 

Thanks for replying.

 

I have the latest version running on the SRX - 12.1R1.9 - I got it updated yesterday.

 

Also, I just added the low and high limit for the dhcp pool, and I was having the same problem before that, too.

SRX Services Gateway
Solution
Accepted by topic author Ivo
‎08-26-2015 01:27 AM

Re: Pulse Clients Getting Wrong Subnet Mask

04.26.12   |  
‎04-26-2012 12:45 PM

As you config seems good, this could be a bug in the new code.

 

I would downgrade to 11.1 R4.4 which is a stable release and go from there. 

 

This is my Dynamic VPN running on the above version:

 

 address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 192.168.20.0/26;
                xauth-attributes {
                    primary-dns 192.168.1.200/32;
                }
            }
        }

  IPv4 Address. . . . . . . . . . . : 192.168.20.61(Preferred)
 Subnet Mask . . . . . . . . . . . : 255.255.255.192
 Default Gateway . . . . . . . . . :

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
SRX Services Gateway

Re: Pulse Clients Getting Wrong Subnet Mask

[ Edited ]
04.26.12   |  
‎04-26-2012 01:06 PM

Sure,

 

I will try that and let you know what happens.

 

I kind of doubt it though - this would be a major failure - you would thing that a new version would only fail in minor areas...

SRX Services Gateway

Re: Pulse Clients Getting Wrong Subnet Mask

04.27.12   |  
‎04-27-2012 01:03 AM

Juniper fails in many areas.....all the time Smiley Happy

Highlighted
SRX Services Gateway

Re: Pulse Clients Getting Wrong Subnet Mask

05.02.12   |  
‎05-02-2012 08:16 AM

I guess that's what the problem was.

 

I have downgraded to 11.1 and I am getting the right subnet mask...

SRX Services Gateway

Re: Pulse Clients Getting Wrong Subnet Mask

05.02.12   |  
‎05-02-2012 08:21 AM

Thought as much, the Dynamic VPN stuff is extremely buggy in my experience. 

 

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
SRX Services Gateway

Re: Pulse Clients Getting Wrong Subnet Mask

05.03.12   |  
‎05-03-2012 07:10 AM

In this case, do businesses really buy Juniper stuff for vpn solutions?

I kind of wonder whether it will really be worth working on this project and getting a little deeper into Juniper all together...

SRX Services Gateway

Re: Pulse Clients Getting Wrong Subnet Mask

05.03.12   |  
‎05-03-2012 07:19 AM

Junos recommended release version is 10.4 R9.2 at the minute so you shouldnt have any issues on that version.  I wouldnt use anything other than a recommended release version for the front end of a business.

 

I have various types of vpn working on 10.4 R7.5, just havnt updated yet, dial in vpns, site to site vpns etc,  all work well.

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
SRX Services Gateway

Re: Pulse Clients Getting Wrong Subnet Mask

05.03.12   |  
‎05-03-2012 07:28 AM

Thanks for the infoSmiley Happy

SRX Services Gateway

Re: Pulse Clients Getting Wrong Subnet Mask

05.03.12   |  
‎05-03-2012 07:57 AM

Have a look here, it is updated with the Recommended Releases once they are available:

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21476

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
SRX Services Gateway

Re: Pulse Clients Getting Wrong Subnet Mask

03.07.13   |  
‎03-07-2013 11:37 AM

Hello MMcD,

 

The recommended version for SRX240 is 11.4R6.6( updated on 31th January 2013) . The same issue is still seen in this version.So even now downgrading to 11.4R4.4 is the only solution or subnet mask of 255.255.255.255 is expected behavior ?

 

Thanks in advance !!

SRX Services Gateway

Re: Pulse Clients Getting Wrong Subnet Mask

03.21.14   |  
‎03-21-2014 11:40 AM

I am having the exact same problem with dynamic VPN on a SRX220.  I'm using the latest recommended release (11.4R10.3).  Has anyone found another workaround, or is 11.1 R4.4 the last release that actually has functioning VPN?

SRX Services Gateway

Re: Pulse Clients Getting Wrong Subnet Mask

03.21.14   |  
‎03-21-2014 03:22 PM

I just tried it with 11.4R4.4 and 12.1X44-D30.4

Same result:

 

  IPv4 Address. . . . . . . . . . . : 192.168.0.130
  Subnet Mask . . . . . . . . . . . : 255.255.255.255
  Default Gateway . . . . . . . . . :

 

I can't find where to download 11.1R4.4 to test it.  Does anyone have VPN working on a more recent version?

SRX Services Gateway

Re: Pulse Clients Getting Wrong Subnet Mask

11.12.14   |  
‎11-12-2014 03:49 AM

I'd a same issue with "JUNOS Software Release [12.1X44-D40.2]"

SRX Services Gateway

Re: Pulse Clients Getting Wrong Subnet Mask

03.23.15   |  
‎03-23-2015 09:40 PM

Same issue with

root@SRX24-02> show version
Hostname: SRX24-02
Model: srx240h
JUNOS Software Release [12.1X44-D35.5]

SRX Services Gateway

Re: Pulse Clients Getting Wrong Subnet Mask

04.13.15   |  
‎04-13-2015 01:21 AM

Were you able to solve this problem?

SRX Services Gateway

Re: Pulse Clients Getting Wrong Subnet Mask

04.14.15   |  
‎04-14-2015 04:00 PM

So the only way to fix the problem with wrong subnet is to downgrade my srx to junos 11.1 R4.4 ? That sounds not right... This version is like 4-5 years old, It should work correctly on Junos 12.1X44-D* as this version is recommended (and I believe stable) by Juniper.

SRX Services Gateway

Re: Pulse Clients Getting Wrong Subnet Mask

04.15.15   |  
‎04-15-2015 11:20 AM

I suggest opening a J-Tac case to have a PR opened if it is a PR case

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------