Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Dynamic VPN Virtual Adapter does not exist on PC, or the Virtual Adapter has no IP address (under ipconfig)

0

0

Article ID: KB17703 KB Last Updated: 27 Feb 2020Version: 6.0
Summary:

Pulse client is connected, but the virtual adapter does not exist on the PC (in the ipconfig output).

This article is a part of the Dynamic VPN Resolution Guide: KB17220 - Resolution Guide - SRX - Troubleshoot Pulse VPN connections to SRX.

Symptoms:
The ipconfig output on the PC does not include the 'Ethernet Adapter Juniper Network Agent Virtual Adapter' or the adapter does not have an IP Address listed
Solution:

This behavior occurs in the following situations:

  • User defined on the RADIUS server is not assigning a Framed-IP-Address and Framed-IP-Netmask
    OR
  • Local authentication is being used, and address-assignment is not being used or there is no valid address-assignment pool listed in the access profile
NOTE:  It is not necessary for Pulse to be provided an IP address.  If no IP address is provided, VPN traffic will be sourced using the Ethernet NIC IP address. 

 

  1. Are you using RADIUS or local authentication?
    • RADIUS - Continue to Step 2
    • Local Authentication - Jump to Step 4
  2. [RADIUS] Ensure the username specified under the security dynamic-vpn matches the username on the RADIUS server or the local user in the access profile.  For example:
    root@srx# show security dynamic-vpn
     access-profile radius-server;
    clients {
        user1 {
            remote-protected-resources {
                192.168.2.0/24;
            }
            remote-exceptions {
                0.0.0.0/0;
            }
            ipsec-vpn dyn-vpn-user1;
            user {
                user1;  <--------must match username on RADIUS server or the local user to do XAUTH.
            }
        }
    }
    
    
  3. [RADIUS] Ensure that the users defined on the RADIUS server are assigning a Framed-IP-Address and a Framed-IP-Netmask. The Dynamic VPN application note for Junos 10.4 provides a step-by-step example of Configuring Steel Belted RADIUS in the Appendix.
    The following attributes are commonly assigned:
    Framed-IP-Address (required)
    Framed-IP-Netmask (required)

    Juniper-Primary-Dns (optional)
    Juniper-Secondary-Dns (optional)
    Juniper-Primary-Wins  (optional)
    Juniper-Secondary-Wins (optional)

    If still resolved, jump to Step 5.

  4. [Local Auth] Confirm an address assignment pool is defined and referenced in a profile as shown below:
    root@srx# show access

    profile dyn-vpn-access-profile {
        authentication-order password;
        client user1 {
            firewall-user {
                password "$ABC123"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool;
        }

    }
    address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 10.10.10.0/24;
                xauth-attributes {
                    primary-dns 4.2.2.2/32;
                }
            }
        }
    }
  5. If the configuration looks correct, then set the following debug commands on the SRX to capture all authentication debugs to the file named 'auth-debug':
    root@srx# set system processes general-authentication-service traceoptions flag all
    root@srx# run clear log authd
    root@srx# commit

    [Have user attempt to connect and login again]

    user@srx> show log authd

    Review the output of the authd file to confirm the IP address and netmask are being assigned.  Note that the auth traceoptions output will show the attributes being sent from the RADIUS server, but it will not show the attribute values.

  6. If the problem is still not resolved after completing the steps above, collect the information listed in KB21781 - [SRX] Data Collection Checklist - Logs/data to collect for troubleshooting, along with the debugs captured above, and open a technical support case with your technical support representative or with the RADIUS server vendor as appropriate.
Modification History:
2020-02-27: minor non-technical edits.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search