Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Pulse client not able to connect to SRX due to configuration issues

0

0

Article ID: KB22980 KB Last Updated: 24 Feb 2020Version: 4.0
Summary:

A sample working configuration is included for you to compare against your configuration.

This article is a part of the Dynamic VPN Resolution Guide:  KB17220 - Resolution Guide - SRX - Troubleshoot Pulse VPN connections to SRX.

Symptoms:

Pulse client is not connecting to SRX, due to a configuration error. 

Solution:

If your Pulse client is not connecting to the SRX device, then first follow the steps in KB23031 - [SRX] Pulse client connection status is 'Disconnected', and it may refer you to this article to confirm your configuration.


Below is a working configuration for a Pulse client connected to an SRX.  Problem areas in the config are highlighted for you to compare with your config.
 

system

system {
    root-authentication {
        encrypted-password "$ABC123";
    }
    services {
        web-management {
            https { 
                system-generated-certificate;
                interface fe-0/0/0.0; ## Specifying the interface is optional
            }
        }
    }
}

interfaces

interfaces {
    fe-0/0/0 {
        unit 0 {
            family interface {
                ## Listed IP should be entered as the Server URL in Pulse if fe-0/0/0 is IKE external interface
                address 1.1.1.1/24;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet {
                address 192.168.0.1/24;
            }
        }
    }
}

security

security {
    ike {
        proposal ike-prop1 {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm des-cbc;
            lifetime-seconds 86400;
        }
        ## Remember to set the mode to aggressive, else "IKE negotiations fail"
        policy ike-dyn-vpn-policy {
            mode aggressive; 
            proposals ike-prop1;
            pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
        }
        ## Make sure the correct IKE Policy is specified
        gateway dyn-vpn-local-gw {
            ike-policy ike-dyn-vpn-policy; 
            dynamic {
                hostname dynvpn;
                ## connection limit should not be greater # of installed licenses
                connections-limit 2;
                ike-user-type group-ike-id;
            }
            ## Make sure to specify the correct egress interface toward client
            external-interface fe-0/0/0.0; 
	    xauth access-profile dyn-vpn-access-profile;
        }

    }
    ipsec {
        proposal ipsec-prop2{
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm des-cbc;
            lifetime-seconds 3600;
        }
        policy ipsec-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec-prop2;
        }
        vpn dyn-vpn {
            ike {
                gateway dyn-vpn-local-gw;
                ipsec-policy ipsec-policy;
            }
        }
    }
    ## Bind the Access profile with the Dynamic-VPN
    dynamic-vpn {
        access-profile dyn-vpn-access-profile; 
        clients {
            all-clients {    
                remote-protected-resources { 
                    192.168.0.0/24;    ## Specify which traffic should go thru VPN
                }
                remote-exceptions {
                    0.0.0.0/0;
                }
                ## Specify the correct IPSEC VPN name
                ipsec-vpn dyn-vpn; 
                user {     ## Username list should match the client names in [access] portion of config or defined on radius server
                   user1; 
                    user2;
                }
            }
        }
    }
    policies {
        ## Direction should be from outside to inside
        from-zone untrust to-zone trust { 
            policy pol-dyn-vpn {
                match { 
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ## Specify the correct IPSEC VPN name
                            ipsec-vpn dyn-vpn; 
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone untrust {
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        ## IKE and HTTPS are mandatory on the external interface
                        system-services { 
                            ike;
                            https;
                        }
                    }
                }
            }
        }
        security-zone trust {
            interfaces {
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}

access

access {
    profile dyn-vpn-access-profile {
        client user1 {
            firewall-user {
                password "$ABC123"; ## SECRET-DATA
            }
         }
         client user2 {
            firewall-user {
                 password "$ABC123": ## SECRET-DATA
            }
         }
         address-assignment {
             pool dyn-vpn-address-pool;
         }
    }
    address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 192.168.1.0/24;
                xauth-attributes primary-dns 4.2.2.2/32;
            }
        }
    }
    firewall-authentication {
         web-authentication {
           default-profile dyn-vpn-access-profile; ##Specify the profile name defined under [edit access]
          }
    }



For more information on the above configuration fields, refer to:


If the problem is still not resolved after completing the steps above, collect the information listed in KB21781-[SRX]Data Collection Checklist - Logs/data to collect for troubleshooting, and open a case with your technical support representative.  (Note the 'IPSec - Dynamic VPN' section for the additional data to collect.)


 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search