Pulse client is connected, but the virtual adapter does not exist on the PC (in the ipconfig
output).
This article is a part of the Dynamic VPN Resolution Guide: KB17220 - Resolution Guide - SRX - Troubleshoot Pulse VPN connections to SRX.
This behavior occurs in the following situations:
- User defined on the RADIUS server is not assigning a Framed-IP-Address and Framed-IP-Netmask
OR
- Local authentication is being used, and address-assignment is not being used or there is no valid address-assignment pool listed in the access profile
NOTE: It is not necessary for Pulse to be provided an IP address. If no IP address is provided, VPN traffic will be sourced using the Ethernet NIC IP address.
- Are you using RADIUS or local authentication?
- RADIUS - Continue to Step 2
- Local Authentication - Jump to Step 4
- [RADIUS] Ensure the username specified under the
security dynamic-vpn
matches the username on the RADIUS server or the local user in the access profile. For example:
root@srx# show security dynamic-vpn
access-profile radius-server;
clients {
user1 {
remote-protected-resources {
192.168.2.0/24;
}
remote-exceptions {
0.0.0.0/0;
}
ipsec-vpn dyn-vpn-user1;
user {
user1; <--------must match username on RADIUS server or the local user to do XAUTH.
}
}
}
- [RADIUS] Ensure that the users defined on the RADIUS server are assigning a Framed-IP-Address and a Framed-IP-Netmask. The Dynamic VPN application note for Junos 10.4 provides a step-by-step example of Configuring Steel Belted RADIUS in the Appendix.
The following attributes are commonly assigned:
Framed-IP-Address (required)
Framed-IP-Netmask (required)
Juniper-Primary-Dns (optional)
Juniper-Secondary-Dns (optional)
Juniper-Primary-Wins (optional)
Juniper-Secondary-Wins (optional)
If still resolved, jump to Step 5.
- [Local Auth] Confirm an address assignment pool is defined and referenced in a profile as shown below:
root@srx# show access
profile dyn-vpn-access-profile {
authentication-order password;
client user1 {
firewall-user {
password "$ABC123"; ## SECRET-DATA
}
}
address-assignment {
pool dyn-vpn-address-pool;
}
}
address-assignment {
pool dyn-vpn-address-pool {
family inet {
network 10.10.10.0/24;
xauth-attributes {
primary-dns 4.2.2.2/32;
}
}
}
}
- If the configuration looks correct, then set the following debug commands on the SRX to capture all authentication debugs to the file named 'auth-debug':
root@srx# set system processes general-authentication-service traceoptions flag all
root@srx# run clear log authd
root@srx# commit
[Have user attempt to connect and login again]
user@srx> show log authd
Review the output of the authd file to confirm the IP address and netmask are being assigned. Note that the auth traceoptions output will show the attributes being sent from the RADIUS server, but it will not show the attribute values.
- If the problem is still not resolved after completing the steps above, collect the information listed in KB21781 - [SRX] Data Collection Checklist - Logs/data to collect for troubleshooting, along with the debugs captured above, and open a technical support case with your technical support representative or with the RADIUS server vendor as appropriate.