SRX

 View Only
last person joined: 13 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Erorr- Monitor: Configuration download - No config file for the realm

    Posted 04-04-2023 17:24

    The "No config file for the realm" error occurs during the configuration of the Juniper Secure Connect remote access VPN. 
    I tried to create a realm, but I couldn't find the option in the J-Web interface.
    Also, I couldn't find a solution in the manufacturer's documentation.

    How can I resolve this error and configure the remote access VPN correctly?



    ------------------------------
    ALEXANDRU GHERGHE
    ------------------------------


  • 2.  RE: Erorr- Monitor: Configuration download - No config file for the realm

    Posted 10-06-2023 10:42

    Hi @Juniper Team,

    I have setup the JSC SSL VPN in vSRX  new release 22.2R2-S2.3 and it gives the error which shown below. While in past we have establish JSC VPN Connection several time which was working perfectly fine in vSRX 21 release.

    Can you please check either this is bug or juniper has changed the steps of JSC configuration for New release, if so please provide us latest configuration. 

    I am following this document for JSC Configuration using J-Web

    https://www.juniper.net/documentation/us/en/software/secure-connect/secure-connect-administrator-guide/topics/topic-map/local-authentication-with-local-ip-pool.html

    Error i am facing

    Configuration i am using
    
    
    
    set security ike proposal jsc-ssl-vpn authentication-method pre-shared-keys
    set security ike proposal jsc-ssl-vpn dh-group group19
    set security ike proposal jsc-ssl-vpn authentication-algorithm sha-256
    set security ike proposal jsc-ssl-vpn encryption-algorithm aes-256-cbc
    set security ike proposal jsc-ssl-vpn lifetime-seconds 28800
    
    set security ike policy jsc-ssl-vpn mode aggressive
    set security ike policy jsc-ssl-vpn proposals jsc-ssl-vpn
    set security ike policy jsc-ssl-vpn pre-shared-key ascii-text 'xyz'
    
    set security ike gateway jsc-ssl-vpn ike-policy jsc-ssl-vpn
    set security ike gateway jsc-ssl-vpn dynamic user-at-hostname "abc@lab.net"
    set security ike gateway jsc-ssl-vpn dynamic ike-user-type shared-ike-id
    set security ike gateway jsc-ssl-vpn dead-peer-detection optimized
    set security ike gateway jsc-ssl-vpn dead-peer-detection interval 10
    set security ike gateway jsc-ssl-vpn dead-peer-detection threshold 5
    set security ike gateway jsc-ssl-vpn external-interface ae1.0
    set security ike gateway jsc-ssl-vpn local-address a.b.c.d
    set security ike gateway jsc-ssl-vpn aaa access-profile jsc-access-profile-new
    set security ike gateway jsc-ssl-vpn version v1-only
    set security ike gateway jsc-ssl-vpn tcp-encap-profile jsc-termination
    
    set security ipsec proposal jsc-ssl-vpn protocol esp
    set security ipsec proposal jsc-ssl-vpn encryption-algorithm aes-256-gcm
    set security ipsec proposal jsc-ssl-vpn lifetime-seconds 3600
    
    set security ipsec policy jsc-ssl-vpn perfect-forward-secrecy keys group19
    set security ipsec policy jsc-ssl-vpn proposals jsc-ssl-vpn
    
    set security ipsec vpn jsc-vpn-sydney bind-interface st0.0
    set security ipsec vpn jsc-vpn-sydney df-bit clear
    set security ipsec vpn jsc-vpn-sydney copy-outer-dscp
    set security ipsec vpn jsc-vpn-sydney ike gateway jsc-ssl-vpn
    set security ipsec vpn jsc-vpn-sydney ike ipsec-policy jsc-ssl-vpn
    set security ipsec vpn jsc-vpn-sydney traffic-selector ts-1 local-ip 0.0.0.0/0
    set security ipsec vpn jsc-vpn-sydney traffic-selector ts-1 remote-ip 0.0.0.0/0
    
    set security remote-access profile jsc-ssl-vpn ipsec-vpn jsc-vpn-sydney
    set security remote-access profile jsc-ssl-vpn access-profile jsc-access-profile-new
    set security remote-access profile jsc-ssl-vpn client-config jsc-ssl-vpn
    
    set security remote-access profile jsc-vpn-sydney ipsec-vpn jsc-vpn-sydney
    set security remote-access profile jsc-vpn-sydney access-profile jsc-access-profile-new
    set security remote-access profile jsc-vpn-sydney client-config jsc-ssl-vpn
    
    set security remote-access client-config jsc-ssl-vpn connection-mode manual
    set security remote-access client-config jsc-ssl-vpn dead-peer-detection interval 60
    set security remote-access client-config jsc-ssl-vpn dead-peer-detection threshold 5
    
    set security remote-access default-profile jsc-vpn-sydney
    set security tcp-encap profile jsc-termination ssl-profile jsc-termination-new
    set services ssl termination profile jsc-termination-new server-certificate JSC-CERTIFICATE
    
    
    set access address-assignment pool jsc-access-pool family inet network 10.10.0.0/24
    set access address-assignment pool jsc-access-pool family inet range jsc-access-pool-range low 10.10.0.2
    set access address-assignment pool jsc-access-pool family inet range jsc-access-pool-range high 10.10.0.250
    set access firewall-authentication web-authentication default-profile jsc-access-profile
    set access profile jsc-access-profile address-assignment pool jsc-pool
    set access profile jsc-access-profile-new address-assignment pool jsc-access-pool
    set access profile jsc-access-profile client abc firewall-user password xyz
    
    

    And also I am unchecking the option of default profile in a Section of Remote Users of JSC, there is not another option under IPsec > Globle setting - to gives custom profile for realm.





    ------------------------------
    Muhammad Jamal Akbar
    ------------------------------



  • 3.  RE: Erorr- Monitor: Configuration download - No config file for the realm

    Posted 10-16-2023 16:04
    Edited by GAVIN WHITE 10-16-2023 16:04

    Hi Muhammad,

    We had a similar issue here and found that removing the tcp-encap profile resolved the issue. This introduces a new problem however, J-Web is now accessible from the outside world and we are waiting on Juniper development to release a fix for this issue by the end of this year.

    We have a working JSC configuration on 22.2 and the differences are as follows...

    set system services web-management https port 8443
    set system services web-management https pki-local-certificate jsc-ssl-vpn
    delete security ike gateway jsc-ssl-vpn tcp-encap-profile jsc-termination
    delete security tcp-encap profile jsc-termination ssl-profile jsc-termination-new
    delete services ssl termination profile jsc-termination-new server-certificate JSC-CERTIFICATE
    Not entirely ideal, but will get you operational.



    ------------------------------
    GAVIN WHITE
    ------------------------------