Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive][Dynamic VPN] Access Manager client gets no error and the 'Connection result:' field is blank (hangs) when attempting to connect to the SRX

0

0

Article ID: KB17439 KB Last Updated: 29 Dec 2014Version: 2.0
Summary:

When trying to connect the Access Manager client to the SRX, the Connection result is blank.

This article is a part of the Dynamic VPN Resolution Guide:  KB17220 - Troubleshoot Dynamic VPN client that is not working.

Unless otherwise noted these steps apply to all versions of Dynamic VPN. Any steps which apply to a specific version will note which versions the step applies to.

Symptoms:

Symptoms:

  • Dynamic VPN client is not connecting to the SRX. The Connection Result for the Connection Status in the Juniper Networks Access Manager window is blank.


  • You followed the steps in KB17232 - Dynamic VPN Client status is 'Disconnected', and it referred you to this article.
Cause:

Solution:

Perform the following steps when the 'Connection result' is blank:

Step 1.  There are a few possible solutions for this condition.   Engineering is addressing this to produce a better error message.  In the mean time, please check the following:

  • RADIUS IP address specified on the SRX is incorrect OR the secret does not match between the SRX and RADIUS server. You can check this by viewing the logs as explained below. 
    user@srx# set system processes general-authentication-service traceoptions flag all
    user@srx# run clear log authd

    user@srx# commit

    [Have user attempt to connect and login again]

    user@srx> show log authd
    The auth-debug log will contain the following if there is a problem with the connection  to the RADIUS server:
  • Apr 8 17:29:33 AUTHEN - module(radius) return: ASYNC
    Apr 8 17:29:45 RADIUS server 172.18.66.10:1812 was used for last request
    Apr 8 17:29:45 Radius : authd_radius_ mark_servers_dead: profile -radius-server, radius server - 172.18.66.88:1812 status set to DEAD
    For additional RADIUS debugging, refer to KB17335.


  • External interface specified for the security ike gateway may be incorrect.  Confirm that the external interface listed is the correct interface for the Dynamic VPN traffic.  Also, confirm the xauth access-profile is pointing to the correct access profile (as seen with show access). 

    Double check these with the command show security ike.  Below are sample working configurations:
     
    Junos 10.3 and below:

    root@srx# show security ike

    proposal simple-ike-proposal {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm 3des-cbc;
    }
    policy simple-ike-policy {
    mode aggressive;
    proposals simple-ike-proposal;
    pre-shared-key ascii-text "$9$km5FCtOcyKn/yKM8dVqmf"; ## SECRET-DATA
    }
    gateway dyn-gw-user1{
    ike-policy simple-ike-policy;
    dynamic hostname host1;
    external-interface ge-0/0/5.0;   <---------------
    xauth access-profile radius-server-profile;   <--------------
    }

    Junos 10.4 and above:

    root@srx# show security ike

    policy ike-dyn-vpn-policy {
    mode aggressive;
    proposal-set standard;
    pre-shared-key ascii-text "$9$km5FCtOcyKn/yKM8dVqmf"; ## SECRET-DATA
    }
    gateway dyn-vpn-local-gw {
    ike-policy ike-dyn-vpn-policy;
    dynamic hostname dynvpn;
    external-interface ge-0/0/5.0;   <---------------
    xauth access-profile radius-server-profile;   <--------------
    }


  • IPsec (Phase 2) on the SRX may be misconfigured.  This is documented in the Dynamic VPN application note
     
    Junos 10.3 and below:

    root@srx# show security ipsec

    proposal simple-ipsec-proposal {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm 3des-cbc;
    }
    policy simple-ipsec-policy {
    perfect-forward-secrecy {
    keys group2;
    }
    proposals simple-ipsec-proposal;
    }
    vpn dyn-vpn-user1 {
    ike {
    gateway dyn-gw-user1;
    ipsec-policy simple-ipsec-policy;
    }
    }

    Junos 10.4 and above:

    root@srx# show security ipsec
    policy ipsec-dyn-vpn-policy {
    perfect-forward-secrecy {
    keys group2;
    }
    proposal-set standard;
    }
    vpn dyn-vpn {
    ike {
    gateway dyn-vpn-local-gw;
    ipsec-policy ipsec-dyn-vpn-policy;
    }
    }


  • Web-management process needs to be restarted.  To do this, perform the following steps:

    Access the Unix shell from the operational command line. (The prompt will change from a > to a %.)
    Note:  The following steps require you to have root access to the SRX device.
    user@srx> start shell
    user@srx%
    Remove the tokens-info file:
    user@srx% rm -rf /var/db/dynamic-vpn-ipsec/tokens-info
    Exit the shell:
    user@srx% exit
    Restart the web-management process:
    user@srx> restart web-management


Step 2.  If the problem is still not resolved after completing the steps above, collect the information listed in KB21781-[SRX]Data Collection Checklist - Logs/data to collect for troubleshooting, along with the debugs captured above, and open a case with your technical support representative. 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search