The steps to verify the 'HTTPS configuration' of a Dynamic VPN configuration are shown, along with the symptoms when it is misconfigured.
This article is a part of the Dynamic VPN Resolution Guide: KB17220 - Resolution Guide - SRX - Troubleshoot Pulse VPN connections to SRX.
Symptoms:
Dynamic VPN user attempts to connect to the SRX by specifying the following:
- https://<ike external interface for dynamic vpn> login page OR
- https://<srx-ip>/dynamic-vpn
And instead receives one of the following browser error messages:
- Unable to connect - Firefox can't establish a connection to the server at <IP address>
- This webpage is not available
- Internet Explorer cannot display the webpage:

Note: This article assumes that the user has already confirmed reachability from the PC Client to the SRX. If this hasn't been confirmed, please refer to KB17281 - Verify reachability from PC to SRX.
Perform the following steps to solve the problem:
Verify that HTTPS service is configured properly.
As long as HTTPS is enabled, any interfaces configured for use by the Dynamic VPN Pulse client (i.e. the external-interface under the IKE gateway being used for Dynamic VPN) will automatically redirect to the Dynamic VPN sign-in page. J-Web access will be disabled on that interface unless the management-url is setup. J-Web will only be accessable via the management-url. The Dynamic-VPN web page will only be accessable on interfaces configured for use by the Dynamic VPN Pulse client. Also, please note that adding a loopback (lo0) interface to the interface list will still disable J-Web entirely and only allow access to the Dynamic VPN portal.
Example configuration:
root@srx# show system services web-management
http; ##Optional to enable redirect
https {
system-generated-certificate;
}
If the HTTPS service is not enabled use the commands below to enable https:
root@srx# set system services web-management http
##Optional to enable redirect
root@srx# set system services web-management https system-generated-certificate
root@srx# set system services web-management https interface <interface-name>
##only required if a particular interface to be redirected to dynamic vpn login page
Once verified that the HTTPS service is configured, is the user now able to connect to the login page 'https://srx-ip/dynamic-vpn' or https://<ike interface for dynamic vpn> , similar to the page shown below?

Is the interface (that the Dynamic VPN client is attempting to connect to) assigned to a security zone, and is HTTPS part of the "Allowed host-inbound traffic" on the interface?
To do this, run the following command, replacing fe-0/0/0.0 with the interface you are using:
root@srx> show interfaces fe-0/0/0.0
Logical interface fe-0/0/0.0 (Index 68) (SNMP ifIndex 151)
Flags: SNMP-Traps Encapsulation: ENET2
Input packets : 8468406
Output packets: 715
Security: Zone: untrust <----------------
Allowed host-inbound traffic : http https ike ping <-------------
Protocol inet, MTU: 1500
Flags: Sendbcast-pkt-to-re, Is-Primary
Addresses, Flags: Is-Default Is-Preferred Is-Primary
Destination: 10.10.10/24, Local: 10.10.10.1,
Broadcast: 10.10.10.255
This can also be checked through the configuration:
root@srx# show security zones security-zone untrust interfaces
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
http; ##Optional to enable redirect
https;
ike;
ping;
}
}
}
- Yes - Go to Step 4
- No - Add https with the following commands. Then continue to Step 4.
root@srx# set security zones security-zone <zone name> interfaces <interface name> host-inbound-traffic system-services https
root@srx# commit
Is the user now able to connect to the 'https://srx-ip/dynamic-vpn' login page?
Notes: - The "host-inbound-traffic system-services" can also be configured directly under the zone; however, the "host-inbound-traffic system-services" under the interface as shown above will overwrite the configuration that is done directly under the zone. For instance, the above configuration assigns the fe-0/0/0.0 interface to the untrust security zone and enables https on it.
- The ike system-service also needs to be enabled, as it is required for Dynamic VPN as well.