[j-nsp] Junos Pulse / SRX240 problems

Eric Hileman nanog at magemojo.com
Wed Aug 3 16:26:34 EDT 2011


Running 10.2R3.10 in the 240h ha cluster at the dc and currently 11.1R1.10
on the srx210's in the branches.  Have tried diff versions on the branches.

The tunnels come up and work for a random amount of time.  Now they don't
come up at all, ike sessions on both ends missing responder cookies.  Just
recently we lost power to one of the ha nodes and after coming back online
the tunnels came up.  For about an hour anyway.  Tried clearing security
associations on both ends, restarting web management, all sorts of things.

Jtac's usual response, upgrade to xx.xRx.xx, reboot, etc.. neither of which
are options in the core.

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Wednesday, August 03, 2011 4:11 PM
To: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Junos Pulse / SRX240 problems

What kind of issues are you having site to site?  We have a lot of SRX doing
site to site and haven't had any issues keeping IPSec tunnels in place...

Running 10.4R4.5 on most boxes to date.... just curious...

Thanks,

Paul


-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Eric Hileman
Sent: Wednesday, August 03, 2011 4:01 PM
To: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Junos Pulse / SRX240 problems

We've had nothing but bad luck with the pulse client on our srx240h ha
cluster.  Right now it's unusable because the license manage thinks licenses
are in use, they're not but we can't reconnect.  We don't have the clear
command in our version of junos you do so jtac says reboot em and we can't.

In your case you should be able to go to your service manager where you'll
find three juniper pulse services.  If you manually restart them your pulse
client should reconnect.  That's probably what the reboot is doing.

Our site to site ipsec vpn's to srx210h's are buggy and broken as well...

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Jeff Wheeler
Sent: Wednesday, August 03, 2011 3:41 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Junos Pulse / SRX240 problems

I have a very simple VPN configuration for a non-uptime-critical
service, with an SRX240H and Dynamic VPN client licenses.  This worked
fine with Junos 10.4R4.5 (JTAC recommended release) and the Juniper
Access Manager client.  However, Dynamic VPN sessions were becoming
"stuck," and hours or days after a user had disconnected, they would
still appear in `show security ike ...` and still consume Dynamic VPN
licenses as reported by `show system licenses`.  The same users were
shown many times, etc.

I have tried 11.1R3.5 and it has solved the stuck IKE associations /
license exhaustion issue, but the Junos Pulse client is not working
well.  JAM does work fine, but the web front-end installs Pulse for
end-users now.  From my test machine, I can sometimes connect the VPN
on the first or second try, but usually have to enter login
credentials at least twice.  Where it gets problematic is if I
disconnect and later attempt to reconnect, I might enter my login and
click continue 50 times before the VPN session is established, if it
ever works at all.  Restarting Pulse does not seem helpful, but
rebooting the PC does.  I have not tried rebooting the SRX, but I find
no entries cleared when issuing `clear security dynamic-vpn all` and
that does not appear to influence the problem.

Before someone asks, since this works perfectly with the JAM client, I
do not think the SRX configuration is any issue.  This config is as
simple as can be, without even a RADIUS server yet.

My impression right now is that the Pulse client is too buggy to
deploy and I should downgrade back to 10.4R4.5 so users will receive
Juniper Access Manager instead.  I have read a few similar opinions on
the Juniper forums.  I would appreciate any thoughts you guys have.

-- 
Jeff S Wheeler <jsw at inconcepts.biz>
Sr Network Operator  /  Innovative Network Concepts

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp




More information about the juniper-nsp mailing list