JUNOS Software Release [18.4R3-S4.2]
Good Evening spuluka,I will start by saying.....ugh....
Now that my moaning is out of the way, I can't say I've stayed up on all of the latest so this is news to me. We bought our licenses for dynamic vpn at the end of 2019 and it took me a LOT of trial and error to get that working. (To be fair by background is not in networking and I was learning JunOS at the same time I was trying to get this up and running).I did look at NCP at the time and while I was interested in the product, it was outside the scope of what I could take on at the time. If Juniper is pushing their own solution then I guess that should be the selected alternative since I would expect them to phase out third party applications over time in favor of their own products.I've reviewed the documentation and unfortunately it almost immediately addresses my initial concern. It is recommended that I don't keep the dynamic vpn configured when switching over to Juniper Secure Connect. This causes me a great deal of concern since I wholly don't expect to get the configuration working the first time over night and will need to make sure a VPN solution is operational at almost all times.That being said, I can reach out to my reseller to see what my options for licensing are, but I am more concerned about implementation.
I'll just go ahead and put this out there here and now, does anyone offer their services for this type of setup and configuration?I'm definitely stuck between a rock and a hard place with this news and the behavior of the latest Pulse Secure client.Thanks,Michael
Michael, thanks for sharing your SRX model and firmware with us.This evening we were able to successfully update (downgrade) our firmware to JUNOS 18.2R3.4, as you had mentioned you are running. Following installation and reboot the VPN connection once again worked as intended and we don't even seem to have any problems with Windows 10 Enterprise v20H2 as the client OS. I will warn you that I merely connected and confirmed on the SRX's junos cli that the connection looked good. I did not test it long enough to see any dropped connection or re-prompting for passwords, but the preliminary results are better than the errors we had on all client PC's connecting via dynamic vpn.Steve, thanks for the update on Juniper's recommendations I honestly hadn't heard of the Juniper Secure Connect service, but I will make a point to recommend or at least investigate that in the future.
For now, I'm wrapping up my time consulting with FlexGen next week, so obviously the quicker solution of rolling back the firmware was the winner this time around.If anyone at JTAC comes across this message - please reconsider your recommended firmware release for any users that have dynamic-vpn licenses in use. The 18.4 junos version appears to break this connection, whereas 18.2 junos version and older do not.Many thanks again to each of you, and good luck with getting things setup. I can say from looking into the Microsoft side of things myself that they got aggressive with the updates and recommended you moving up from v1909 earlier this year and then eased back on that support EOL timeline at some point during the summer citing the pandemic as a reason for relaxing it. If you're on Enterprise licenses the fall releases are supported for 30 months, or 2.5 years, which means that you'll be all set until summer of 2022 on v1909.
Obviously consult Microsoft for a more authoritative timeline: https://docs.microsoft.com/en-us/lifecycle/faq/windows#windows-10Thanks,-Alan
Alan,Thanks for the additional information on the MS side of things. Traditionally they have a habit of eventually shoving updates down your throat regardless of your decision to block their feature updates. Good to know that they are continuing to allow 1909 to remain in place for an extended period of time, this should give me more than ample time to continue my testing, migrating VPNs, or waiting for Juniper to release another update.After spending more time with this client the behavior is consistent at least, albeit extremely bizzare.Upon initial connection I am good anywhere from 5-20 minutes then I get the disconnect and prompt to reconnect to the VPN. Within a minute I am disconnected again, but this time my wireless connection is also terminated. When the VPN password prompts this time I have to reconnect to my wireless network and then log into the VPN. For the next two or three minutes I am prompted multiple times for the VPN password. After 3-5 password prompts the VPN connection then remains stable for hours. It is the oddest thing.
It almost certainly has to be a client side issue and I am not convinced it isn't the driver on this device (I am running a 2019 Surface Pro Book 2 where I am seeing the issues). I've not found any additional drivers to test.
I'm going to be testing on a number of different models in the next couple of weeks to see if the behavior is present on other devices as well. Since the experience has been consistent I thought I would post the additional information to the thread.