SRX Services Gateway
Highlighted
SRX Services Gateway

SRX Dynamic VPN Issue

‎12-15-2015 10:11 PM

Since upgrading from Junos 12.1X44 to 12.1X46-D40.2 we haven't been able to connect using the Pulse Client. 

 

When connecting we get the error 1454. When running show security dynamic-vpn client version, we get the error abnormal communication termination with web-management daemon.

 

We've already tried power cycling the router and also tried to restart the web-management service however had no luck.

 

One last thing, this router is part of a chassis cluster but don't see how that'd be an issue when it has worked in the past.

 

Thanks in advance for any help 🙂

 

Cheers,

 

Glenn

15 REPLIES 15
Highlighted
SRX Services Gateway

Re: SRX Dynamic VPN Issue

‎12-15-2015 10:29 PM
Can you share the complete error messages. Also try "restart web-management"
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: SRX Dynamic VPN Issue

[ Edited ]
‎12-15-2015 10:40 PM

Hi,

 

Once I had the same issue , take a look at :

http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-Dynamic-VPN-Version/td-p/278324

 

If doesn't help try the following :


Basic Dynamic-VPN troubleshooting commands

1- Setup the traceoptions

# set security ike traceoptions file ike-debug

# set security ike traceoptions flag all

# set security ipsec traceoptions flag all

# commit

# run clear log ike-debug

2- Now try to connect and run this show command

# run show log ike-debug | match ike

————————————————————————–

Clearing the Token Info

1- run the shell, and execute this command :

admin@Abed> start shell

% rm -rf /var/db/dynamic-vpn-ipsec/tokens-info

% cli

2- Now, restart the web-management

admin@Abed> restart web-management

Web management gatekeeper process started, pid 8500

————————————————————————–

# set system processes general-authentication-service traceoptions flag all

#commit

> show log authd

————————————————————————–

restart ipsec-key-management

————————————————————————–

clear security dynamic-vpn ? << all/user >>

————————————————————————–

 

For VPN debugging, which enables logging to the KMD log by default without the need to commit:

>request security ike debug-enable local <ip-address> remote <ip-address> level <level>

 and to turn off:

>request security ike debug-disable

Review logs written to /var/log/kmd:

> show log kmd

Checking the debug status:

> show security ike debug-status

For taking a tcpdump of an interface to analyze with Wireshark or similar (Hidden command):

>monitor traffic interface ge-0/0/1.0 write-file test.pcap

 Can be viewed on the SRX also (Hidden command):

>monitor traffic read-file test.pcap

————————————————————————–

I recomment those three websites !

http://chimera.labs.oreilly.com/books/1234000001633/ch10.html

http://rtoodtoo.net/jncie-sec-traceoptions-ipsec-troubleshooting/

http://itzecurity.blogspot.co.il/2013/08/vpn-configuration-and-troubleshooting.html

Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com
Highlighted
SRX Services Gateway

Re: SRX Dynamic VPN Issue

‎12-15-2015 10:43 PM

The error is attached as error1, when you click on it you get the error2 window.

 

Already tried several times with the restart web-management with no luck.

 

Attachments

Highlighted
SRX Services Gateway

Re: SRX Dynamic VPN Issue

‎12-15-2015 11:23 PM

What version of the Junos Pulse client are you using ? You have to upgrade your client to use Dynamic VPN with the latest version of Junos and from your error message that seems to be the problem.

 

I think this is the latest version of the client ( I downloaded it about two weeks ago ) : ps-pulse-win-5.1r6.0-b61491

Thanks,
Hisham

Please accept my comment as a solution, if it helped in resolving your issue, to help guide other commentators and encourage others.
Highlighted
SRX Services Gateway
Solution
Accepted by topic author eResources
‎12-16-2015 07:34 PM

Re: SRX Dynamic VPN Issue

[ Edited ]
‎12-16-2015 12:43 AM

A week ago I've found a PR regarding this. It stated this is a regression bug introduced in 12.1X46-D40.

Downgraded to -D35, and it works fine.

Unfortuantely, now I'm not able to find the exact PR again.

(found it: https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1135780 BTW, PR search is s***t)

If you have active support, call JTAC, they should know when it will be fixed.

 

Regards,

Mircho

Highlighted
SRX Services Gateway

Re: SRX Dynamic VPN Issue

‎12-16-2015 02:49 AM
Thats what i did as i mentioned 🙂
Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com
Highlighted
SRX Services Gateway

Re: SRX Dynamic VPN Issue

‎12-16-2015 07:34 PM

So I downgraded to D35 and it has fixed the issue as suggested.

 

Thanks for your help 🙂

 

Cheers

 

Glenn

Highlighted
SRX Services Gateway

Re: SRX Dynamic VPN Issue

‎12-21-2015 06:26 AM

The bug is also present in 12.1X46-D40.2

 

I am 99% this is due to them removing the vpn client download and borking the whole auth process.

 

> show security dynamic-vpn client version                            
error: abnormal communication termination with web-management daemon

When is the fix comming? Rolling back to previous version is never a nice thing, since we do upgrade to get the latest security fixes. Or is there no plan to actually fix this? We bought a pile of dynamic vpn licenses and they are useless. Last release was months ago...

 

Sorry if I am bitter after hours lost troubleshooting this.

SRX Services Gateway

Re: SRX Dynamic VPN Issue

‎12-24-2015 01:51 PM

The download links were removed way before D40.

 

Also, I tried downloading the latest Pulse release (61491) and the issue still happens. Going to contact JTAC next week after the holidays.

Highlighted
SRX Services Gateway

Re: SRX Dynamic VPN Issue

‎12-28-2015 03:32 PM

This is the PR just in case you need it https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1135780

 

Regards

Highlighted
SRX Services Gateway

Re: SRX Dynamic VPN Issue

‎12-29-2015 01:03 AM

They must be joking... 

Resolved In 15.1X49-D30

 

Junos OS Release 15.1X49 does not support branch SRX Series devices or SRX1400, SRX3400, or SRX3600 devices.

If you have any questions concerning this notification, please contact the Juniper Networks Technical Assistance Center (JTAC).

 

So does this mean this will not be fixed ever?

Highlighted
SRX Services Gateway

Re: SRX Dynamic VPN Issue

‎12-29-2015 03:31 PM

Just wanted to say I did the same thing, and my SRX210's dynamic VPN is working now. You still can't download the client from the SRX anymore on this version FYI.

 

Thanks,

Highlighted
SRX Services Gateway

Re: SRX Dynamic VPN Issue

‎01-02-2016 11:00 AM

Does it work with mac client for anyone?

Highlighted
SRX Services Gateway

Re: SRX Dynamic VPN Issue

‎01-13-2016 01:13 PM

I've just run into this one as well.

 

So I'm looking at PR1135780 and it says it's Major Severity but it's Closed supposedly fixed in 15.1X49-D30.

 

We are on 220H2 devices which don't support this branch. So what does this mean; are Juniper ever going to fix it or are we now stuck forever on older firmware? I've had a brief chat with JTAC on this and so far it doesn't look like a fix is ever coming for this platform.

 

I've never had so much trouble with a firewall and VPNs in my life. First there was the sell off of Pulse and I've had nothing but trouble with them trying to get access to the latest Pulse Secure software and now Juniper bork it completely and won't fix it.

 

Guess I'll have to rollback.

Highlighted
SRX Services Gateway

Re: SRX Dynamic VPN Issue

‎01-14-2016 01:19 AM

Fix wil be available in future releases for 12.1X44/46/47 trains.

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Feedback