[j-nsp] Junos Pulse / SRX240 problems

Jeff Wheeler jsw at inconcepts.biz
Wed Aug 3 15:40:56 EDT 2011


I have a very simple VPN configuration for a non-uptime-critical
service, with an SRX240H and Dynamic VPN client licenses.  This worked
fine with Junos 10.4R4.5 (JTAC recommended release) and the Juniper
Access Manager client.  However, Dynamic VPN sessions were becoming
"stuck," and hours or days after a user had disconnected, they would
still appear in `show security ike ...` and still consume Dynamic VPN
licenses as reported by `show system licenses`.  The same users were
shown many times, etc.

I have tried 11.1R3.5 and it has solved the stuck IKE associations /
license exhaustion issue, but the Junos Pulse client is not working
well.  JAM does work fine, but the web front-end installs Pulse for
end-users now.  From my test machine, I can sometimes connect the VPN
on the first or second try, but usually have to enter login
credentials at least twice.  Where it gets problematic is if I
disconnect and later attempt to reconnect, I might enter my login and
click continue 50 times before the VPN session is established, if it
ever works at all.  Restarting Pulse does not seem helpful, but
rebooting the PC does.  I have not tried rebooting the SRX, but I find
no entries cleared when issuing `clear security dynamic-vpn all` and
that does not appear to influence the problem.

Before someone asks, since this works perfectly with the JAM client, I
do not think the SRX configuration is any issue.  This config is as
simple as can be, without even a RADIUS server yet.

My impression right now is that the Pulse client is too buggy to
deploy and I should downgrade back to 10.4R4.5 so users will receive
Juniper Access Manager instead.  I have read a few similar opinions on
the Juniper forums.  I would appreciate any thoughts you guys have.

-- 
Jeff S Wheeler <jsw at inconcepts.biz>
Sr Network Operator  /  Innovative Network Concepts



More information about the juniper-nsp mailing list