SRX

Expand all | Collapse all

SRX Dynamic VPN Issue

Jump to Best Answer
  • 1.  SRX Dynamic VPN Issue

    Posted 12-15-2015 22:11

    Since upgrading from Junos 12.1X44 to 12.1X46-D40.2 we haven't been able to connect using the Pulse Client. 

     

    When connecting we get the error 1454. When running show security dynamic-vpn client version, we get the error abnormal communication termination with web-management daemon.

     

    We've already tried power cycling the router and also tried to restart the web-management service however had no luck.

     

    One last thing, this router is part of a chassis cluster but don't see how that'd be an issue when it has worked in the past.

     

    Thanks in advance for any help 🙂

     

    Cheers,

     

    Glenn



  • 2.  RE: SRX Dynamic VPN Issue

     
    Posted 12-15-2015 22:30
    Can you share the complete error messages. Also try "restart web-management"


  • 3.  RE: SRX Dynamic VPN Issue

    Posted 12-15-2015 22:44

    The error is attached as error1, when you click on it you get the error2 window.

     

    Already tried several times with the restart web-management with no luck.

     



  • 4.  RE: SRX Dynamic VPN Issue

    Posted 12-15-2015 23:23

    What version of the Junos Pulse client are you using ? You have to upgrade your client to use Dynamic VPN with the latest version of Junos and from your error message that seems to be the problem.

     

    I think this is the latest version of the client ( I downloaded it about two weeks ago ) : ps-pulse-win-5.1r6.0-b61491



  • 5.  RE: SRX Dynamic VPN Issue

    Posted 12-15-2015 22:41

    Hi,

     

    Once I had the same issue , take a look at :

    http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-Dynamic-VPN-Version/td-p/278324

     

    If doesn't help try the following :


    Basic Dynamic-VPN troubleshooting commands

    1- Setup the traceoptions

    # set security ike traceoptions file ike-debug

    # set security ike traceoptions flag all

    # set security ipsec traceoptions flag all

    # commit

    # run clear log ike-debug

    2- Now try to connect and run this show command

    # run show log ike-debug | match ike

    ————————————————————————–

    Clearing the Token Info

    1- run the shell, and execute this command :

    admin@Abed> start shell

    % rm -rf /var/db/dynamic-vpn-ipsec/tokens-info

    % cli

    2- Now, restart the web-management

    admin@Abed> restart web-management

    Web management gatekeeper process started, pid 8500

    ————————————————————————–

    # set system processes general-authentication-service traceoptions flag all

    #commit

    > show log authd

    ————————————————————————–

    restart ipsec-key-management

    ————————————————————————–

    clear security dynamic-vpn ? << all/user >>

    ————————————————————————–

     

    For VPN debugging, which enables logging to the KMD log by default without the need to commit:

    >request security ike debug-enable local <ip-address> remote <ip-address> level <level>

     and to turn off:

    >request security ike debug-disable

    Review logs written to /var/log/kmd:

    > show log kmd

    Checking the debug status:

    > show security ike debug-status

    For taking a tcpdump of an interface to analyze with Wireshark or similar (Hidden command):

    >monitor traffic interface ge-0/0/1.0 write-file test.pcap

     Can be viewed on the SRX also (Hidden command):

    >monitor traffic read-file test.pcap

    ————————————————————————–

    I recomment those three websites !

    http://chimera.labs.oreilly.com/books/1234000001633/ch10.html

    http://rtoodtoo.net/jncie-sec-traceoptions-ipsec-troubleshooting/

    http://itzecurity.blogspot.co.il/2013/08/vpn-configuration-and-troubleshooting.html



  • 6.  RE: SRX Dynamic VPN Issue
    Best Answer

    Posted 12-16-2015 00:43

    A week ago I've found a PR regarding this. It stated this is a regression bug introduced in 12.1X46-D40.

    Downgraded to -D35, and it works fine.

    Unfortuantely, now I'm not able to find the exact PR again.

    (found it: https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1135780 BTW, PR search is s***t)

    If you have active support, call JTAC, they should know when it will be fixed.

     

    Regards,

    Mircho



  • 7.  RE: SRX Dynamic VPN Issue

    Posted 12-16-2015 02:49
    Thats what i did as i mentioned 🙂


  • 8.  RE: SRX Dynamic VPN Issue

    Posted 12-16-2015 19:34

    So I downgraded to D35 and it has fixed the issue as suggested.

     

    Thanks for your help 🙂

     

    Cheers

     

    Glenn



  • 9.  RE: SRX Dynamic VPN Issue

    Posted 12-29-2015 15:32

    Just wanted to say I did the same thing, and my SRX210's dynamic VPN is working now. You still can't download the client from the SRX anymore on this version FYI.

     

    Thanks,



  • 10.  RE: SRX Dynamic VPN Issue

    Posted 01-02-2016 11:01

    Does it work with mac client for anyone?



  • 11.  RE: SRX Dynamic VPN Issue

    Posted 12-21-2015 06:27

    The bug is also present in 12.1X46-D40.2

     

    I am 99% this is due to them removing the vpn client download and borking the whole auth process.

     

    > show security dynamic-vpn client version                            
    error: abnormal communication termination with web-management daemon

    When is the fix comming? Rolling back to previous version is never a nice thing, since we do upgrade to get the latest security fixes. Or is there no plan to actually fix this? We bought a pile of dynamic vpn licenses and they are useless. Last release was months ago...

     

    Sorry if I am bitter after hours lost troubleshooting this.



  • 12.  RE: SRX Dynamic VPN Issue

    Posted 12-24-2015 13:52

    The download links were removed way before D40.

     

    Also, I tried downloading the latest Pulse release (61491) and the issue still happens. Going to contact JTAC next week after the holidays.



  • 13.  RE: SRX Dynamic VPN Issue

    Posted 01-13-2016 13:13

    I've just run into this one as well.

     

    So I'm looking at PR1135780 and it says it's Major Severity but it's Closed supposedly fixed in 15.1X49-D30.

     

    We are on 220H2 devices which don't support this branch. So what does this mean; are Juniper ever going to fix it or are we now stuck forever on older firmware? I've had a brief chat with JTAC on this and so far it doesn't look like a fix is ever coming for this platform.

     

    I've never had so much trouble with a firewall and VPNs in my life. First there was the sell off of Pulse and I've had nothing but trouble with them trying to get access to the latest Pulse Secure software and now Juniper bork it completely and won't fix it.

     

    Guess I'll have to rollback.



  • 14.  RE: SRX Dynamic VPN Issue

     
    Posted 01-14-2016 01:20

    Fix wil be available in future releases for 12.1X44/46/47 trains.

     

    Regards,

    Raveen



  • 15.  RE: SRX Dynamic VPN Issue

    Posted 12-28-2015 15:32

    This is the PR just in case you need it https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1135780

     

    Regards



  • 16.  RE: SRX Dynamic VPN Issue

    Posted 12-29-2015 01:03

    They must be joking... 

    Resolved In 15.1X49-D30

     

    Junos OS Release 15.1X49 does not support branch SRX Series devices or SRX1400, SRX3400, or SRX3600 devices.

    If you have any questions concerning this notification, please contact the Juniper Networks Technical Assistance Center (JTAC).

     

    So does this mean this will not be fixed ever?