Since upgrading from Junos 12.1X44 to 12.1X46-D40.2 we haven't been able to connect using the Pulse Client.
When connecting we get the error 1454. When running show security dynamic-vpn client version, we get the error abnormal communication termination with web-management daemon.
We've already tried power cycling the router and also tried to restart the web-management service however had no luck.
One last thing, this router is part of a chassis cluster but don't see how that'd be an issue when it has worked in the past.
Thanks in advance for any help 🙂
The error is attached as error1, when you click on it you get the error2 window.
Already tried several times with the restart web-management with no luck.
What version of the Junos Pulse client are you using ? You have to upgrade your client to use Dynamic VPN with the latest version of Junos and from your error message that seems to be the problem.
I think this is the latest version of the client ( I downloaded it about two weeks ago ) : ps-pulse-win-5.1r6.0-b61491
Once I had the same issue , take a look at :
If doesn't help try the following :
Basic Dynamic-VPN troubleshooting commands1- Setup the traceoptions# set security ike traceoptions file ike-debug# set security ike traceoptions flag all# set security ipsec traceoptions flag all# commit# run clear log ike-debug2- Now try to connect and run this show command# run show log ike-debug | match ike————————————————————————–Clearing the Token Info1- run the shell, and execute this command :admin@Abed> start shell% rm -rf /var/db/dynamic-vpn-ipsec/tokens-info% cli2- Now, restart the web-managementadmin@Abed> restart web-managementWeb management gatekeeper process started, pid 8500————————————————————————–# set system processes general-authentication-service traceoptions flag all#commit> show log authd————————————————————————–restart ipsec-key-management————————————————————————–clear security dynamic-vpn ? << all/user >>————————————————————————–
For VPN debugging, which enables logging to the KMD log by default without the need to commit:>request security ike debug-enable local <ip-address> remote <ip-address> level <level> and to turn off:>request security ike debug-disableReview logs written to /var/log/kmd:> show log kmdChecking the debug status:> show security ike debug-statusFor taking a tcpdump of an interface to analyze with Wireshark or similar (Hidden command):>monitor traffic interface ge-0/0/1.0 write-file test.pcap Can be viewed on the SRX also (Hidden command):>monitor traffic read-file test.pcap
————————————————————————–I recomment those three websites !http://chimera.labs.oreilly.com/books/1234000001633/ch10.htmlhttp://rtoodtoo.net/jncie-sec-traceoptions-ipsec-troubleshooting/http://itzecurity.blogspot.co.il/2013/08/vpn-configuration-and-troubleshooting.html
A week ago I've found a PR regarding this. It stated this is a regression bug introduced in 12.1X46-D40.
Downgraded to -D35, and it works fine.
Unfortuantely, now I'm not able to find the exact PR again.
(found it: https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1135780 BTW, PR search is s***t)
If you have active support, call JTAC, they should know when it will be fixed.
So I downgraded to D35 and it has fixed the issue as suggested.
Thanks for your help 🙂
Just wanted to say I did the same thing, and my SRX210's dynamic VPN is working now. You still can't download the client from the SRX anymore on this version FYI.
Does it work with mac client for anyone?
The bug is also present in 12.1X46-D40.2
I am 99% this is due to them removing the vpn client download and borking the whole auth process.
> show security dynamic-vpn client version
error: abnormal communication termination with web-management daemon
When is the fix comming? Rolling back to previous version is never a nice thing, since we do upgrade to get the latest security fixes. Or is there no plan to actually fix this? We bought a pile of dynamic vpn licenses and they are useless. Last release was months ago...
Sorry if I am bitter after hours lost troubleshooting this.
The download links were removed way before D40.
Also, I tried downloading the latest Pulse release (61491) and the issue still happens. Going to contact JTAC next week after the holidays.
I've just run into this one as well.
So I'm looking at PR1135780 and it says it's Major Severity but it's Closed supposedly fixed in 15.1X49-D30.
We are on 220H2 devices which don't support this branch. So what does this mean; are Juniper ever going to fix it or are we now stuck forever on older firmware? I've had a brief chat with JTAC on this and so far it doesn't look like a fix is ever coming for this platform.
I've never had so much trouble with a firewall and VPNs in my life. First there was the sell off of Pulse and I've had nothing but trouble with them trying to get access to the latest Pulse Secure software and now Juniper bork it completely and won't fix it.
Guess I'll have to rollback.
Fix wil be available in future releases for 12.1X44/46/47 trains.
This is the PR just in case you need it https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1135780
They must be joking...
Junos OS Release 15.1X49 does not support branch SRX Series devices or SRX1400, SRX3400, or SRX3600 devices.
If you have any questions concerning this notification, please contact the Juniper Networks Technical Assistance Center (JTAC).
So does this mean this will not be fixed ever?