[j-nsp] Junos Pulse / SRX240 problems

Wed Aug 3 16:05:36 EDT 2011

Hi Jeff...

I find this quite interesting as we have a fair number of SRX deployed with
a limited number offering Dynamic VPN.  

I just checked an SRX210 running 10.2R3.10 that we were planning to upgrade
to 10.4R4.5 as per Juniper recommended release.  It does not have this issue
and the dynamic VPN works quite well.

We had a ticket running with Juniper for quite a while on the "multiple
logins" problem - our users are pretty used to entering their credentials
twice each time they connect however I was informed today that they haven't
had to do this in quite some time (we have no idea why).

On that particular SRX210 we do have "local logins" working with no Radius
server - there was a lot of JTAC confusion that this wasn't supported but
after 2 months of wrestling we got it working just fine.  In fact, we don't
have any Dynamic VPN's running with Radius servers to date.  I did notice on
the 10.4R4.5 and higher releases (someone might correct me on the exact
release it was introduced) that local IP pools are now functional - this is
a major feature that should have been incorporated since the first release
in my opinion.

This is all using the Access Manager client - we have not had very good
reliable success with Pulse neither which is too bad as it seems like it
*will* be a much nicer client to work with.

Most of our customers we have on SA platform which works extremely well
including IPhone, MAC, PC etc.  Unfortunately this introduces more costs to
customer deployments though.  Pulse does work very well with the SA series
as well.

Hope this helps..

Cheers,

Paul

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Jeff Wheeler
Sent: Wednesday, August 03, 2011 3:41 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Junos Pulse / SRX240 problems

I have a very simple VPN configuration for a non-uptime-critical
service, with an SRX240H and Dynamic VPN client licenses.  This worked
fine with Junos 10.4R4.5 (JTAC recommended release) and the Juniper
Access Manager client.  However, Dynamic VPN sessions were becoming
"stuck," and hours or days after a user had disconnected, they would
still appear in `show security ike ...` and still consume Dynamic VPN
licenses as reported by `show system licenses`.  The same users were
shown many times, etc.

I have tried 11.1R3.5 and it has solved the stuck IKE associations /
license exhaustion issue, but the Junos Pulse client is not working
well.  JAM does work fine, but the web front-end installs Pulse for
end-users now.  From my test machine, I can sometimes connect the VPN
on the first or second try, but usually have to enter login
credentials at least twice.  Where it gets problematic is if I
disconnect and later attempt to reconnect, I might enter my login and
click continue 50 times before the VPN session is established, if it
ever works at all.  Restarting Pulse does not seem helpful, but
rebooting the PC does.  I have not tried rebooting the SRX, but I find
no entries cleared when issuing `clear security dynamic-vpn all` and
that does not appear to influence the problem.

Before someone asks, since this works perfectly with the JAM client, I
do not think the SRX configuration is any issue.  This config is as
simple as can be, without even a RADIUS server yet.

My impression right now is that the Pulse client is too buggy to
deploy and I should downgrade back to 10.4R4.5 so users will receive
Juniper Access Manager instead.  I have read a few similar opinions on
the Juniper forums.  I would appreciate any thoughts you guys have.

-- 
Jeff S Wheeler <jsw at inconcepts.biz>
Sr Network Operator  /  Innovative Network Concepts

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp