SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Pulse Secure with Windows 10 (latest two versions)

    Posted 12-02-2020 23:40
    Good evening,

    Over the last year we have been running Windows 10 1909 and the Pulse Secure client 9.1r2. While I have had a few issues here and there it has been mostly stable.

    Recently though I put a machine through an upgrade to Windows 10 2004 and immediately began having issues with the client staying connected. Within minutes I would get disconnected from the VPN and would be prompted to re-enter my credentials. Sometimes this works, sometimes it doesn't. In some cases I have to restart the Pulse Secure service or reboot altogether.

    This goes on for 10-15 minutes with multiple disconnects\reconnects before I get a stable connection.

    Thinking that this might be due to a bad upgrade I wiped the machine and performed a clean install of Windows 10 20H2. The problem continued so I installed the Pulse Secure client 9.1r7 and still it continues.

    I'm looking to do an OS refresh throughout our company, but not while I am facing this issue. Between our normal operations and the additional complications of covid, there is no way I can have our office without a stable VPN solution.

    I've had considerable luck here on the forums, so I thought I would ask the community for their experiences\advice before moving to a TAC case.

    Thanks for any help in advance,
    Michael


  • 2.  RE: Pulse Secure with Windows 10 (latest two versions)

    Posted 12-03-2020 16:25
    Hi Michael and Juniper community,

    Thanks for your post. We are seeing similar issues at our organization where we have set a Windows 10 Enterprise v1909 or newer goal, many of us have v2004 or v20H2 because Microsoft has been pushing 20H2 since around October 2020.

    Our symptoms are inability to connect at all to the VPN via the Pulse Secure app and I've also test v9.1r7 of Junos Pulse in addition to the v9.1r2 that all the rest of our employees use. The client Junos Pulse connection fails before prompting for a password and gives the error 1453.

    Our systems are as follows:
    Model: srx345
    Junos: 18.4R3-S4.2
    JUNOS Software Release [18.4R3-S4.2]

    Client PC's run Windows 10 Enterprise v1909,v2004,and v20H2 (We've tested 1909 and 20H2)
    Junos Pulse Secure Client Application v9.1r2

    Given what we know, I'm thinking that our issue stems from a firmware update we did a couple of months ago, but I haven't been able to pinpoint that for sure.

    If you don't mind sharing, which version of firmware and which SRX model are you running?
    Thanks,
    Alan



  • 3.  RE: Pulse Secure with Windows 10 (latest two versions)

    Posted 12-03-2020 17:44
    Hi Alan,

    Sure, we are running a SRX340. We are currently on  JUNOS 18.2R3.4.

    We updated to this version earlier this year to mitigate some other VPN issues we were having and haven't had any issues since so I haven't looked into updating it further. As it is right now all of our employees are using Junos Pulse Secure Client v9.1r2 without many issues. Since I am the only one that has moved to a later version of Windows and I haven't heard of any issues from anyone else I am pretty sure that we are dealing with a client side issue. I don't want to risk breaking the rest of the office with an firmware upgrade until I have further information on this behavior.

    Michael


  • 4.  RE: Pulse Secure with Windows 10 (latest two versions)

    Posted 12-03-2020 20:00
    A lot has changed with Juniper SRX remote access client vpn over the last several years.  There are three solutions at present.
    • Pulse Secure - stopped sale about 3 years ago but still under some support for current licenses
    • NCP client - replacement to Pulse secure and still in both sale and support
    • Juniper Secure Connect - just released this year option for sales going forward
    This is the current instructions for Pulse Secure that also has the download link to the newest available clients.  To keep going forward with Pulse you will probably need to get and deploy the latest client and keep up to date.

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-dynamic-vpns-with-pulse-secure-clients.html
    This same documentation page has links for both the other options as well.

    And if you want to look into migrating to the current solution of Juniper Secure connect that process is outlined here.

    https://www.juniper.net/documentation/en_US/junipersecureconnect/topics/topic-map/secure-connect-getting-started-migrating-users.html

    I am not sure how license transfer and support works for migrations.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: Pulse Secure with Windows 10 (latest two versions)

    Posted 12-03-2020 21:13

    Good Evening spuluka,

    I will start by saying.....ugh....

    Now that my moaning is out of the way, I can't say I've stayed up on all of the latest so this is news to me. We bought our licenses for dynamic vpn at the end of 2019 and it took me a LOT of trial and error to get that working. (To be fair by background is not in networking and I was learning JunOS at the same time I was trying to get this up and running).

    I did look at NCP at the time and while I was interested in the product, it was outside the scope of what I could take on at the time. If Juniper is pushing their own solution then I guess that should be the selected alternative since I would expect them to phase out third party applications over time in favor of their own products.

    I've reviewed the documentation and unfortunately it almost immediately addresses my initial concern. It is recommended that I don't keep the dynamic vpn configured when switching over to Juniper Secure Connect. This causes me a great deal of concern since I wholly don't expect to get the configuration working the first time over night and will need to make sure a VPN solution is operational at almost all times.

    That being said, I can reach out to my reseller to see what my options for licensing are, but I am more concerned about implementation.

    I'll just go ahead and put this out there here and now, does anyone offer their services for this type of setup and configuration?

    I'm definitely stuck between a rock and a hard place with this news and the behavior of the latest Pulse Secure client.

    Thanks,
    Michael




  • 6.  RE: Pulse Secure with Windows 10 (latest two versions)

    Posted 12-04-2020 18:35

    Michael, thanks for sharing your SRX model and firmware with us.

    This evening we were able to successfully update (downgrade) our firmware to JUNOS 18.2R3.4, as you had mentioned you are running. Following installation and reboot the VPN connection once again worked as intended and we don't even seem to have any problems with Windows 10 Enterprise v20H2 as the client OS. I will warn you that I merely connected and confirmed on the SRX's junos cli that the connection looked good. I did not test it long enough to see any dropped connection or re-prompting for passwords, but the preliminary results are better than the errors we had on all client PC's connecting via dynamic vpn.

    Steve, thanks for the update on Juniper's recommendations I honestly hadn't heard of the Juniper Secure Connect service, but I will make a point to recommend or at least investigate that in the future.

    For now, I'm wrapping up my time consulting with FlexGen next week, so obviously the quicker solution of rolling back the firmware was the winner this time around.

    If anyone at JTAC comes across this message - please reconsider your recommended firmware release for any users that have dynamic-vpn licenses in use. The 18.4 junos version appears to break this connection, whereas 18.2 junos version and older do not.

    Many thanks again to each of you, and good luck with getting things setup. I can say from looking into the Microsoft side of things myself that they got aggressive with the updates and recommended you moving up from v1909 earlier this year and then eased back on that support EOL timeline at some point during the summer citing the pandemic as a reason for relaxing it. If you're on Enterprise licenses the fall releases are supported for 30 months, or 2.5 years, which means that you'll be all set until summer of 2022 on v1909.

    Obviously consult Microsoft for a more authoritative timeline: https://docs.microsoft.com/en-us/lifecycle/faq/windows#windows-10

    Thanks,
    -Alan




  • 7.  RE: Pulse Secure with Windows 10 (latest two versions)

    Posted 12-05-2020 12:10

    Alan,

    Thanks for the additional information on the MS side of things. Traditionally they have a habit of eventually shoving updates down your throat regardless of your decision to block their feature updates. Good to know that they are continuing to allow 1909 to remain in place for an extended period of time, this should give me more than ample time to continue my testing, migrating VPNs, or waiting for Juniper to release another update.

    After spending more time with this client the behavior is consistent at least, albeit extremely bizzare.

    Upon initial connection I am good anywhere from 5-20 minutes then I get the disconnect and prompt to reconnect to the VPN. Within a minute I am disconnected again, but this time my wireless connection is also terminated. When the VPN password prompts this time I have to reconnect to my wireless network and then log into the VPN. For the next two or three minutes I am prompted multiple times for the VPN password. After 3-5 password prompts the VPN connection then remains stable for hours. It is the oddest thing.

    It almost certainly has to be a client side issue and I am not convinced it isn't the driver on this device (I am running a 2019 Surface Pro Book 2 where I am seeing the issues). I've not found any additional drivers to test.

    I'm going to be testing on a number of different models in the next couple of weeks to see if the behavior is present on other devices as well. Since the experience has been consistent I thought I would post the additional information to the thread.