SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Secure Connect vpn connection problem.

    Posted 21 days ago

    Hi,Could you please help me with advice. I'm not professional with Juniper (at least not yet :)) and faced with following problem.I have SRX345 on my platform, and I decided to configure vpn connection for remote user using Secure Connect. As installation guide I used next video: https://www.youtube.com/watch?v=uB54u-4cFGo repeating everything step by step as in video. And as result after performing all configurations as in video I successfully connected to my SRX345 using windows and iphone Secure Connect clients.But! Next day this installation stopped work. Client showed:r/Juniper - Help with Secure Connect

    r/Juniper - Help with Secure Connect

    The reboot of SRX solves the problem for some time (I can't say for what period, for hour or few hours), but after the issue with connection back.And, it's doesn't matter if I try to connect to SRX after reboot or not, after expiration of some time connection is impossible. I tried to catch HTTPS packets when connection establishing successfully and when not using 'security flow traceoptions' on SRX and found that session is blocking by plugin junos-remote-access-gw:Nov 12 16:04:52 16:04:52.522733:CID-0:RT:[JSF]Normal interest check. regd plugins 44, enabled impl mask 0x0

    Nov 12 16:04:52 16:04:52.522733:CID-0:RT:get NULL sess plugin info 0xd3849e8

    Nov 12 16:04:52 16:04:52.522733:CID-0:RT:get NULL sess plugin info 0xd3849e8

    Nov 12 16:04:52 16:04:52.522733:CID-0:RT:get NULL sess plugin info 0xd3849e8

    Nov 12 16:04:52 16:04:52.522733:CID-0:RT:get NULL sess plugin info 0xd3849e8

    Nov 12 16:04:52 16:04:52.522733:CID-0:RT:get NULL sess plugin info 0xd3849e8

    Nov 12 16:04:52 16:04:52.522733:CID-0:RT:get NULL sess plugin info 0xd3849e8

    Nov 12 16:04:52 16:04:52.522733:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3

    Nov 12 16:04:52 16:04:52.522733:CID-0:RT:get NULL sess plugin info 0xd3849e8

    Nov 12 16:04:52 16:04:52.522733:CID-0:RT:get NULL sess plugin info 0xd3849e8

    Nov 12 16:04:52 16:04:52.522733:CID-0:RT:get NULL sess plugin info 0xd3849e8

    Nov 12 16:04:52 16:04:52.522733:CID-0:RT: plugin junos-remote-access-gw(42) aborted sess creation. rc 6

    Nov 12 16:04:52 16:04:52.522733:CID-0:RT: packet dropped, plugin interest check failed

    Nov 12 16:04:52 16:04:52.522733:CID-0:RT:flow_initiate_first_path: first pak no session

    Nov 12 16:04:52 16:04:52.522733:CID-0:RT: flow find session returns error.

    What could be the reason for this issue?

    In addition I don't have any problems or warnings during the configuration using CLI, but see warning ' Adding Global address is not allowed, when zone based address is defined ' on j-web when try to check the configuration of VPN there.

    r/Juniper - Help with Secure Connect

    I'm actually using the public interface on the interface which faced to Internet. And I can't find some restriction about that in documentation for Secure Connection.

    Thank you very much in advance for your ideas!



    ------------------------------
    VLADIMIR
    ------------------------------


  • 2.  RE: Secure Connect vpn connection problem.

     
    Posted 21 days ago
    From the description it sounds like the version of Junos you are running currently has a software bug.  You could try to verify the bug number and find the version where this is corrected by searching the problem under your current version in the bug list.  Juniper refers to these as problem reports or PR.  If the bug is publicly listed it will tell you what you need to upgrade to clear the issue.

    https://prsearch.juniper.net/InfoCenter/index?page=prsearch

    You could also just try upgrading to the current recommended version by support to see if it clears the issue.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB21476#srx_series

    If neither of these appeals, you can open an support case and have the JTAC engineer do the leg work from your provided logs.

    https://supportportal.juniper.net/s/

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Secure Connect vpn connection problem.

    Posted 20 days ago

    Thank you for your advice.

    I've forgotten to say in my publication with problem description that I have SW 20.1 R1.12 on my SRXes.

    I've found almost the same reported issue in the 'Problem Report Search' (PR1571326).

    I'll do the SW upgrade to the latest version and check again.



    ------------------------------
    VLADIMIR
    ------------------------------



  • 4.  RE: Secure Connect vpn connection problem.

    Posted 7 days ago

    Hello Steve!

    Thank you, it was really problem with soft. I've updated SW to 21.3R1.9 and don't see the issue with SecureConnect VPN connection at least for now.

    Could you please help with advice which vpn client should I use for Linux machines to use Secure Connect VPN. There is no Linux clients app for downloading from juniper web site.



    ------------------------------
    VLADIMIR
    ------------------------------



  • 5.  RE: Secure Connect vpn connection problem.

     
    Posted 6 days ago
    I'm afraid there is no supported linux client right now.  The old client they had Pulse Secure did offer one but I'm pretty sure that no longer works after many of the updates over the last few years.

    For linux you could look into installing an open source ipsec client like strong swan.  And then you could connect to the SRX by setting up a ipsec vpn as the target expecting dhcp clients with either certificates or remote ike id names instead of static address.  This also would not use any of your dynamic client licenses.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------