Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Verify 'HTTPS configuration' step in Dynamic VPN configuration



Article ID: KB17234 KB Last Updated: 16 Dec 2014Version: 6.0

The steps to verify the 'HTTPS configuration' of a Dynamic VPN configuration are shown, along with the symptoms when it is misconfigured.

This article is a part of the Dynamic VPN Resolution Guide:  KB17220 - Resolution Guide - SRX - Troubleshoot Pulse VPN connections to SRX.



Dynamic VPN user attempts to connect to the SRX by specifying the following:

  • https://<ike external interface for dynamic vpn> login page       OR
  • https://<srx-ip>/dynamic-vpn

And instead receives one of the following browser error messages:

  • Unable to connect - Firefox can't establish a connection to the server at <IP address>
  • This webpage is not available
  • Internet Explorer cannot display the webpage:



Note: This article assumes that the user has already confirmed reachability from the PC Client to the SRX. If this hasn't been confirmed, please refer to KB17281 - Verify reachability from PC to SRX.

Perform the following steps to solve the problem:

step1  Verify that HTTPS service is configured properly.

As long as HTTPS is enabled, any interfaces configured for use by the Dynamic VPN Pulse client (i.e. the external-interface under the IKE gateway being used for Dynamic VPN) will automatically redirect to the Dynamic VPN sign-in page.  J-Web access will be disabled on that interface unless the management-url is setup.  J-Web will only be accessable via the management-url.  The Dynamic-VPN web page will only be accessable on interfaces configured for use by the Dynamic VPN Pulse client. Also, please note that adding a loopback (lo0) interface to the interface list will still disable J-Web entirely and only allow access to the Dynamic VPN portal. 

Example configuration:

root@srx# show system services web-management
http; ##Optional to enable redirect
https {

If the HTTPS service is not enabled use the commands below to enable https:

root@srx# set system services web-management http     ##Optional to enable redirect
root@srx# set system services web-management https system-generated-certificate
root@srx# set system services web-management https interface <interface-name> ##only required if a particular interface to be redirected to dynamic vpn login page

step2  Once verified that the HTTPS service is configured, is the user now able to connect to the login page 'https://srx-ip/dynamic-vpn' or https://<ike interface for dynamic vpn> , similar to the page shown below?



step3  Is the interface (that the Dynamic VPN client is attempting to connect to) assigned to a security zone, and is HTTPS part of the "Allowed host-inbound traffic" on the interface? 

To do this, run the following command, replacing fe-0/0/0.0 with the interface you are using:

root@srx> show interfaces fe-0/0/0.0
  Logical interface fe-0/0/0.0 (Index 68) (SNMP ifIndex 151)
    Flags: SNMP-Traps Encapsulation: ENET2
    Input packets : 8468406
    Output packets: 715
    Security: Zone: untrust   <----------------
    Allowed host-inbound traffic : http https ike ping   <-------------
    Protocol inet, MTU: 1500
      Flags: Sendbcast-pkt-to-re, Is-Primary
      Addresses, Flags: Is-Default Is-Preferred Is-Primary
        Destination: 10.10.10/24, Local:,

This can also be checked through the configuration:

root@srx# show security zones security-zone untrust interfaces
fe-0/0/0.0 {
    host-inbound-traffic {
        system-services {
            http; ##Optional to enable redirect

  • Yes - Go to Step 4
  • No - Add https with the following commands.  Then continue to Step 4.

    root@srx# set security zones security-zone <zone name> interfaces <interface name> host-inbound-traffic system-services https
    root@srx# commit

step4   Is the user now able to connect to the 'https://srx-ip/dynamic-vpn'  login page?

  • The "host-inbound-traffic system-services" can also be configured directly under the zone; however, the "host-inbound-traffic system-services" under the interface as shown above will overwrite the configuration that is done directly under the zone. For instance, the above configuration assigns the fe-0/0/0.0 interface to the untrust security zone and enables https on it.   
  • The ike system-service also needs to be enabled, as it is required for Dynamic VPN as well.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search