Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Dynamic VPN not working due to port 443 not listening

0

0

Article ID: KB30444 KB Last Updated: 25 Jun 2020Version: 3.0
Summary:

Unable to create a dynamic VPN using Junos Pulse, even though everything seems to be configured correctly.

Symptoms:
  • Dynamic VPN connection using Junos Pulse fails immediately.  It does not even give you the option to log in.
  • Dynamic VPN configuration was configured via the dynamic VPN Wizard, so the configuration should be correct.
  • When attempting to make a J-Web connection via https, the connection attempt fails.
  • J-Web connection to the device is successful if http is being used.
Cause:

Looking at the /var/log/httpd.log file, we do see it listening for port 80, but we do not see it listening for port 443.

httpd: 1: Started at Tue Mar 31 01:41:53 2015 CDT
httpd: 1: Starting host named: "RTC-RVRAOFC-01"
httpd: 2: Listening for HTTP on *:80
httpd: 2: Listening for HTTP on :::80
httpd: 1: HTTP services are ready with max 10 worker threads
httpd: 2: GET / HTTP/1.0
httpd: 0: GET IFNAME WORKED reth4.0
httpd: 0: GET IFNAME WORKED reth4.0

Additionally, if we do a show system connections, we don't see port 443 as a listening port. Per KB23720 - Which ports can be used by Junos Pulse for dynamic VPN, the SRX device needs to be listening on TCP port 443.

Solution:

If the SRX device is not listening to TCP port 443, you can force it by explicitly configuring port 443 in the system services web-management stanza:

set system services web-management https port 443
commit

You can confirm this by doing a show system connections:

root> show system connections 
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address       Foreign Address       (state)
tcp46      0      0  *.443               *.*                   LISTEN
tcp4       0      0  *.443               *.*                   LISTEN
tcp46      0      0  *.80                *.*                   LISTEN
tcp4       0      0  *.80                *.*                   LISTEN

After you have verified that the SRX is listening to TCP port 443, the dynamic VPN should start working.

Modification History:
2020-06-02: Article reviewed for accuracy; still relevant as DVPN is still used today.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search