Knowledge Search


×
 

[SRX] Verify 'HTTPS configuration' step in Dynamic VPN configuration

  [KB17234] Show Article Properties


Summary:

The steps to verify the 'HTTPS configuration' of a Dynamic VPN configuration are shown, along with the symptoms when it is misconfigured.

This article is a part of the Dynamic VPN Resolution Guide:  KB17220 - Resolution Guide - SRX - Troubleshoot Pulse VPN connections to SRX.


Symptoms:

Symptoms:

Dynamic VPN user attempts to connect to the SRX by specifying the following:

  • https://<ike external interface for dynamic vpn> login page       OR
  • https://<srx-ip>/dynamic-vpn

And instead receives one of the following browser error messages:

  • Unable to connect - Firefox can't establish a connection to the server at <IP address>
  • This webpage is not available
  • Internet Explorer cannot display the webpage:


Cause:

Solution:

Note: This article assumes that the user has already confirmed reachability from the PC Client to the SRX. If this hasn't been confirmed, please refer to KB17281 - Verify reachability from PC to SRX.


Perform the following steps to solve the problem:

step1  Verify that HTTPS service is configured properly.

As long as HTTPS is enabled, any interfaces configured for use by the Dynamic VPN Pulse client (i.e. the external-interface under the IKE gateway being used for Dynamic VPN) will automatically redirect to the Dynamic VPN sign-in page.  J-Web access will be disabled on that interface unless the management-url is setup.  J-Web will only be accessable via the management-url.  The Dynamic-VPN web page will only be accessable on interfaces configured for use by the Dynamic VPN Pulse client. Also, please note that adding a loopback (lo0) interface to the interface list will still disable J-Web entirely and only allow access to the Dynamic VPN portal. 

Example configuration:

root@srx# show system services web-management
http; ##Optional to enable redirect
https {
    system-generated-certificate;
}

If the HTTPS service is not enabled use the commands below to enable https:

root@srx# set system services web-management http     ##Optional to enable redirect
root@srx# set system services web-management https system-generated-certificate
root@srx# set system services web-management https interface <interface-name> ##only required if a particular interface to be redirected to dynamic vpn login page



step2  Once verified that the HTTPS service is configured, is the user now able to connect to the login page 'https://srx-ip/dynamic-vpn' or https://<ike interface for dynamic vpn> , similar to the page shown below?

               

 

step3  Is the interface (that the Dynamic VPN client is attempting to connect to) assigned to a security zone, and is HTTPS part of the "Allowed host-inbound traffic" on the interface? 

To do this, run the following command, replacing fe-0/0/0.0 with the interface you are using:

root@srx> show interfaces fe-0/0/0.0
  Logical interface fe-0/0/0.0 (Index 68) (SNMP ifIndex 151)
    Flags: SNMP-Traps Encapsulation: ENET2
    Input packets : 8468406
    Output packets: 715
    Security: Zone: untrust   <----------------
    Allowed host-inbound traffic : http https ike ping   <-------------
    Protocol inet, MTU: 1500
      Flags: Sendbcast-pkt-to-re, Is-Primary
      Addresses, Flags: Is-Default Is-Preferred Is-Primary
        Destination: 10.10.10/24, Local: 10.10.10.1,
        Broadcast: 10.10.10.255


This can also be checked through the configuration:

root@srx# show security zones security-zone untrust interfaces
fe-0/0/0.0 {
    host-inbound-traffic {
        system-services {
            http; ##Optional to enable redirect
            https;
            ike;
            ping;
        }
    }
}

  • Yes - Go to Step 4
  • No - Add https with the following commands.  Then continue to Step 4.

    root@srx# set security zones security-zone <zone name> interfaces <interface name> host-inbound-traffic system-services https
    root@srx# commit



step4   Is the user now able to connect to the 'https://srx-ip/dynamic-vpn'  login page?


Notes:
  • The "host-inbound-traffic system-services" can also be configured directly under the zone; however, the "host-inbound-traffic system-services" under the interface as shown above will overwrite the configuration that is done directly under the zone. For instance, the above configuration assigns the fe-0/0/0.0 interface to the untrust security zone and enables https on it.   
  • The ike system-service also needs to be enabled, as it is required for Dynamic VPN as well.

Related Links: