SRX Services Gateway
Highlighted
SRX Services Gateway

Win10 running Pulse Secure VPN client Error 1453 when trying to VPN out to Juniper SRX 300 Gateway

a week ago

Hello All,

 

We're newcomers in the Pulse Secure/Juniper Community and technology as well, seeking assistance for a resolution of a problem summarized in the subject of this post.

 

Our desktops/laptops  are running Win10 ver 1803 (OS Build 17134.590).

 

The gateways are:

Model: srx300
Junos: 15.1X49-D70.3
JUNOS Software Release [15.1X49-D70.3]

 

We own two SRX300 gateways setup to connect 2 business locations. PuTTy ssh can connect to both gateways w/o a problem even if the problem explained below is active.    

 

The Pulse secure VPN client installed on the Win10 machines is v. 5.2.11 (1195). We didn't buy Pulse Secure VPN client. We downloaded a copy of it from Pulse Secure's site and we use it with a license that comes by default with the purchase of an SRX 300.

 

When we restart the SRX gateway  error 1453 goes away but it comes back about 12-15  hrs later.

 

The body of network connection error 1453 reads as follows:

Network errors can be caused by temporary conditions such as an invalid URL , a server not available, and so on. Please try the operation again. Restart your system and try the operation again. If the problem persists, contact your network administrator.

 

We select Firewall(SRX) in the Type of Connection on Pulse and we're very sure we are using the correct Server URL.

 

To alleviate error 1453 we restart the gateway of the location the VPN client is connecting to, an hr or so  before we open  for business and that keeps our remote users' connectivity going for half a day, sometimes more than a day but on avg it lasts 12-15 hrs as mentioned above.

 

There's plenty of disk apce on the appliance. That's how, at least, we interpret the results showing below:

user@location1> show system storage detail
Filesystem 1024-blocks Used Avail Capacity Mounted on
/dev/da0s1a 2528708 251256 2075156 11% /
devfs 1 1 0 100% /dev
/dev/md0 20012 11820 6592 64% /junos
/cf/packages 2528708 251256 2075156 11% /junos/cf/packages
devfs 1 1 0 100% /junos/cf/dev
/dev/md1 808018 808018 0 100% /junos
/cf 20012 11820 6592 64% /junos/cf
devfs 1 1 0 100% /junos/dev/
/cf/packages 2528708 251256 2075156 11% /junos/cf/packages1
procfs 4 4 0 100% /proc
/dev/bo0s3e 189552 80 174308 0% /config
/dev/bo0s3f 2218426 114380 1926572 6% /cf/var
/dev/md2 687956 20384 612536 3% /mfs
/cf/var/jail 2218426 114380 1926572 6% /jail/var
/cf/var/jails/rest-api 2218426 114380 1926572 6% /web-api/var
/cf/var/log 2218426 114380 1926572 6% /jail/var/log
devfs 1 1 0 100% /jail/dev
/dev/md3 1884 292 1442 17% /jail/mfs

 

We tried troubleshooting the problem at hand with Pulse Secure official tech support but the moment we talk about VPN out to a Juniper hardware product they immediately point us to Juniper tech support, hence reaching out to Juniper Community, just in case someone else has experienced something similar and has an advise/recommendation how to resolve it.

 

Any help will be much appreciated

Thanks

Stavros

6 REPLIES 6
SRX Services Gateway

Re: Win10 running Pulse Secure VPN client Error 1453 when trying to VPN out to Juniper SRX 300 Gateway

a week ago

Hi,

 

Can you try the same connection but form a PC that is running Windows 7? or Windows 10 but with a version prior 1803?

 

Some imcopatibility problems between Pulse software and Windows 10 were introduced after windows version 1803. This is one exmaple of it:

https://kb.juniper.net/InfoCenter/index?page=content&id=TSB17441&actp=METADATA&act=login

 

Also take a packet capture with Wireshark on your PC when the problem is happening, I would like to confirm if the PC is sending packets to the SRX when the problem happens and if the SRX is responding.

 

Pura Vida from Costa Rica - Kudos are appreciated!
Mark as Resolved if it applies.
SRX Services Gateway

Re: Win10 running Pulse Secure VPN client Error 1453 when trying to VPN out to Juniper SRX 300 Gateway

a week ago

Thanks for replying.

 

I forgot to mention that one of our remote users is using Win7 SP1 and she experiences the same connection error when the other one who uses Win10  Build 1803 can not connect.  

 

Per your advise when the error re-appears

1.  I'll test a Win10 machine with Build < 1803

2.  capture packets with Wireshark

 

Thanks

Stavros

SRX Services Gateway

Re: Win10 running Pulse Secure VPN client Error 1453 when trying to VPN out to Juniper SRX 300 Gateway

a week ago

When the connection error came back I initiated Pulse Secure and while kept clicking 'Retry' to create more VPN traffic I  started collecting packets with Wireshark. After a few secs I stopped and filtered for the destimation IP. That's what shows in the jpg attached.

 

As far as I know black packets are problematic ones so I understand if the jpg is likely not enough to offer further advice what to troubleshoot next. If that's the case how can I share the pcapng file securely ?  I'm concerned sharing it in the open b/c of the destination public IP address.

 

Thanks

Stavros

Attachments

SRX Services Gateway

Re: Win10 running Pulse Secure VPN client Error 1453 when trying to VPN out to Juniper SRX 300 Gateway

a week ago

I tried capturing packets again this morning, only this time I filtered all traffic captured for packets that have the public IP as source

or destination. Example of the syntax w/ a non-routable IP follows below.

ip.src== 192.168.0.1 && ip.dst == 192.168.0.5

All VPN traffic in this collection and on my previous reply is going through my Wless interface.

The pattern of packets between this attempt and the one before seems the same. Anything I need to change so I can provide more info to troubleshoot the connection error ? 

 

Thanks

Stavros

 

Attachments

SRX Services Gateway

Re: Win10 running Pulse Secure VPN client Error 1453 when trying to VPN out to Juniper SRX 300 Gateway

a week ago

correction on filter on previous reply.

the filter I applied was  

ip.src== Public_IP_Address || ip.dst == Public_IP_Address

where Public_IP_Address is the same on both sides of the OR

Thanks

Stavros

SRX Services Gateway

Re: Win10 running Pulse Secure VPN client Error 1453 when trying to VPN out to Juniper SRX 300 Gateway

Thursday

Hi stavrosk

 

On both packet captures we can see that the PC is sending SYN messages in order to create  a TCP connection with the SRX, however it is not receiving any replies and start retransmiting the SYN messages (black packets). We need to find out if the SRX is indeed not responding or if any device in between is dropping those packets at the time of the issue.

 

1. We can tell that the SRX's configuration is fine because the PC can connect from time to time.

2. Create a filter on the SRX with a counter that will increase if it receives the packets from the PC on its external interface. This way we can monitor the counter increases during the outages:

 

 

set firewall family inet filter FILTER term COUNTER from source-address [Public_IP_of_PC]
set firewall family inet filter FILTER term COUNTER from destination-port 443
set firewall family inet filter FILTER term COUNTER then count DynVPN
set firewall family inet filter FILTER term COUNTER then accept
set firewall family inet filter FILTER term ALLOW-ELSE then accept

set interfaces [SRX_External_Interface] unit 0 family inet filter input FILTER

commit

 

 

Review the counter with the following operational command: > show firewall

 

3. You could also try taking a pcap on the external interface of the SRX during the time of the issue:

 

               https://kb.juniper.net/InfoCenter/index?page=content&id=KB11709

 

4. Confirm if during the time of the issue, hosts with different public IP addresses (connecting from different locations) experience the same issue. This will help us to isolate a problem with the SRX or a device sitting in front of the SRX.