The steps to verify the 'HTTPS configuration' of a Dynamic VPN configuration are shown, along with the symptoms when it is misconfigured.

This article is a part of the Dynamic VPN Resolution Guide:  KB17220 - Resolution Guide - SRX - Troubleshoot Pulse VPN connections to SRX.

Symptoms:

Dynamic VPN user attempts to connect to the SRX by specifying the following:

• https://<ike external interface for dynamic vpn> login page       OR
• https://<srx-ip>/dynamic-vpn
  

And instead receives one of the following browser error messages:

• Unable to connect - Firefox can't establish a connection to the server at <IP address>
• This webpage is not available
• Internet Explorer cannot display the webpage:
  
  

Note: This article assumes that the user has already confirmed reachability from the PC Client to the SRX. If this hasn't been confirmed, please refer to KB17281 - Verify reachability from PC to SRX.

Perform the following steps to solve the problem:

  Verify that HTTPS service is configured properly.

As long as HTTPS is enabled, any interfaces configured for use by the Dynamic VPN Pulse client (i.e. the external-interface under the IKE gateway being used for Dynamic VPN) will automatically redirect to the Dynamic VPN sign-in page.  J-Web access will be disabled on that interface unless the management-url is setup.  J-Web will only be accessable via the management-url.  The Dynamic-VPN web page will only be accessable on interfaces configured for use by the Dynamic VPN Pulse client. Also, please note that adding a loopback (lo0) interface to the interface list will still disable J-Web entirely and only allow access to the Dynamic VPN portal. 

Example configuration:

root@srx# show system services web-management
http; ##Optional to enable redirect
https {
    system-generated-certificate;
}


If the HTTPS service is not enabled use the commands below to enable https:

root@srx# set system services web-management http     ##Optional to enable redirect
root@srx# set system services web-management https system-generated-certificate
root@srx# set system services web-management https interface <interface-name> ##only required if a particular interface to be redirected to dynamic vpn login page

  Once verified that the HTTPS service is configured, is the user now able to connect to the login page 'https://srx-ip/dynamic-vpn' or https://<ike interface for dynamic vpn> , similar to the page shown below?

               

• Yes - Have the user attempt to login.  If it is not successful, restart at KB17231 - Dynamic VPN] Can't login to Dynamic-VPN Portal or can't download Pulse client
• No - Continue with Step 3.

 

  Is the interface (that the Dynamic VPN client is attempting to connect to) assigned to a security zone, and is HTTPS part of the "Allowed host-inbound traffic" on the interface? 

To do this, run the following command, replacing fe-0/0/0.0 with the interface you are using:

root@srx> show interfaces fe-0/0/0.0
  Logical interface fe-0/0/0.0 (Index 68) (SNMP ifIndex 151)
    Flags: SNMP-Traps Encapsulation: ENET2
    Input packets : 8468406
    Output packets: 715
    Security: Zone: untrust   <----------------
    Allowed host-inbound traffic : http https ike ping   <-------------
    Protocol inet, MTU: 1500
      Flags: Sendbcast-pkt-to-re, Is-Primary
      Addresses, Flags: Is-Default Is-Preferred Is-Primary
        Destination: 10.10.10/24, Local: 10.10.10.1,
        Broadcast: 10.10.10.255

This can also be checked through the configuration:

root@srx# show security zones security-zone untrust interfaces
fe-0/0/0.0 {
    host-inbound-traffic {
        system-services {
            http; ##Optional to enable redirect
            https;
            ike;
            ping;
        }
    }
}


• Yes - Go to Step 4
  
• No - Add https with the following commands.  Then continue to Step 4.
  
  root@srx# set security zones security-zone <zone name> interfaces <interface name> host-inbound-traffic system-services https
root@srx# commit

   Is the user now able to connect to the 'https://srx-ip/dynamic-vpn'  login page?

• Yes - Have the user attempt to login.
• No - If the problem is still not resolved after completing the steps above, collect the information listed in KB21781 - [SRX] Data Collection Checklist - Logs/Data to collect  for Troubleshooting and contact your technical support representative.  In the Data Collection Checklist, make sure to collect the information listed under 'IPSec - Dynamic VPN'.

Notes:

• The "host-inbound-traffic system-services" can also be configured directly under the zone; however, the "host-inbound-traffic system-services" under the interface as shown above will overwrite the configuration that is done directly under the zone. For instance, the above configuration assigns the fe-0/0/0.0 interface to the untrust security zone and enables https on it.   
  
• The ike system-service also needs to be enabled, as it is required for Dynamic VPN as well.