cancel
Showing results for 
Search instead for 
Did you mean: 

Can connect in Mac but not in Ubuntu

New Member

Can connect in Mac but not in Ubuntu

Hi, I have been using the Pulse Secure client in MacOS Mojave with no issues for few weeks now but now I'm trying to get things setup on an Ubuntu 18.04 machine and am having much more trouble. In Mac, when I create a new connection, I first get a warning about authenticating to an untrusted server. No worries, just check Save settings and click OK. Then I sit on Waiting to connect for a few seconds, then get prompted for my Realm. I select Users and check Save settings, click Connect again. Get prompted for User Name and Password, enter those and check Save settings, then click Connect and I'm finally connected to the VPN.

 

In Ubuntu, I startup the Pulse Secure client, create a new connection, click Connect and the login page comes up that I typically use to connect when I'm in Windows to launch Juniper Network Connect. When I enter my credentials, the page closes and nothing happens. I thought it was related to this issue but my error message and error code is different:

20190905201118.831834 pulsesvc[p3044.t3044] ipsec.info New tunnel being created (tunnel.cpp:62)
20190905201118.832484 pulsesvc[p3044.t3044] session.info setting log level to 30 (session.cpp:1270)
20190905201118.832576 pulsesvc[p3044.t3044] session.info log level set to 30 (session.cpp:1277)
20190905201118.832723 pulsesvc[p3044.t3044] session.info ive_host = co.myvpn.net (session.cpp:257)
20190905201118.832777 pulsesvc[p3044.t3044] session.info Will not use a proxy to connect to the IVE (session.cpp:327)
20190905201118.832804 pulsesvc[p3044.t3044] session.info Network Connect operates in non-FIPS compliant mode (session.cpp:360)
20190905201118.832825 pulsesvc[p3044.t3044] session.error proxy not found (session.cpp:429)
20190905201118.834401 pulsesvc[p3044.t3044] session.info IVE host co.myvpn.net resolved to 65.144.11.194 (session.cpp:446)
20190905201118.834678 pulsesvc[p3044.t3044] rmon.info got system route 0.0.0.0/0.0.0.0 gw 192.168.1.1 metric 100 via 0x74D59F6C (routemon.cpp:729)
20190905201118.834722 pulsesvc[p3044.t3044] rmon.info got system route 0.0.0.0/0.0.0.0 gw 192.168.1.1 metric 600 via 0x04550306 (routemon.cpp:729)
20190905201118.834746 pulsesvc[p3044.t3044] rmon.info got system route 169.254.0.0/255.255.0.0 gw 0.0.0.0 metric 1000 via 0x616D4110 (routemon.cpp:729)
20190905201118.834768 pulsesvc[p3044.t3044] rmon.info got system route 172.16.133.0/255.255.255.0 gw 0.0.0.0 metric 0 via 0x35303034 (routemon.cpp:729)
20190905201118.834789 pulsesvc[p3044.t3044] rmon.info got system route 172.17.0.0/255.255.0.0 gw 0.0.0.0 metric 0 via 0x4106130A (routemon.cpp:729)
20190905201118.834809 pulsesvc[p3044.t3044] rmon.info got system route 192.168.1.0/255.255.255.0 gw 0.0.0.0 metric 100 via 0x13305930 (routemon.cpp:729)
20190905201118.834830 pulsesvc[p3044.t3044] rmon.info got system route 192.168.1.0/255.255.255.0 gw 0.0.0.0 metric 600 via 0x561B01E8 (routemon.cpp:729)
20190905201118.834916 pulsesvc[p3044.t3044] rmon.info got system route 192.168.242.0/255.255.255.0 gw 0.0.0.0 metric 0 via 0x6817808E (routemon.cpp:729)
20190905201118.834949 pulsesvc[p3044.t3044] rmon.info  Collecting latest routes from the system (routemon.cpp:1474)
20190905201118.835073 pulsesvc[p3044.t3044] rmon.info Found best route via ifc enp10s0 (routemon.cpp:1843)
20190905201118.835098 pulsesvc[p3044.t3044] rmon.info best route to 65.144.11.194 is 0.0.0.0/0.0.0.0 via 0x74D59F6C metric: 100 (routemon.cpp:1495)
20190905201118.835120 pulsesvc[p3044.t3044] rmon.info Found best route via ifc enp10s0 (routemon.cpp:1843)
20190905201118.835139 pulsesvc[p3044.t3044] rmon.info Found best route via ifc enp10s0 (routemon.cpp:1843)
20190905201118.835157 pulsesvc[p3044.t3044] rmon.info best route to gateway: 192.168.1.0/255.255.255.0 gw 0.0.0.0 via 0x13305930 metric 100 (routemon.cpp:2010)
20190905201118.835178 pulsesvc[p3044.t3044] rmon.info attempting to add route to next hop gateway (routemon.cpp:2014)
20190905201118.835196 pulsesvc[p3044.t3044] rmon.info adding route to 192.168.1.1/255.255.255.255 with gw 0.0.0.0, metric 1, if_id 321935664 (routemon.cpp:887)
20190905201118.835682 pulsesvc[p3044.t3044] rmon.info adding server route to the IVE: dest = 65.144.11.194, gw = 192.168.1.1, if_id = 1960157036, dev = enp10s0 (routemon.cpp:1573)
20190905201118.835864 pulsesvc[p3044.t3044] rmon.error Setting Best route 0 101a8c0 0 74d59f6c enp10s0 (routemon.cpp:1585)
20190905201118.835914 pulsesvc[p3044.t3044] session.info connecting to ive myvpn.net best route ifid 74d59f6c (session.cpp:484)
20190905201118.835994 pulsesvc[p3044.t3044] ncp.error ncpEstablish for IVE myvpn.net with context 0x1240098 (ncp.cpp:550)
20190905201118.836119 pulsesvc[p3044.t2806] main.info Setting DSSSL to use Default ciphers (ncp.cpp:1925)
20190905201118.836729 pulsesvc[p3044.t2806] dsssl.warn ssl_init : Failed to load CA certificates (DSSSLSock.cpp:1515)
20190905201118.843442 pulsesvc[p3044.t2806] main.info Setting NCP certificate hash for DSSSL certificate verification (ncp.cpp:1934)
20190905201118.843458 pulsesvc[p3044.t2806] main.info Using DSSSL to connect to IVE (ncp.cpp:2023)
20190905201118.843463 pulsesvc[p3044.t2806] connect.info creating a new HTTP connection... (ncp_dsssl.cpp:187)
20190905201118.880171 pulsesvc[p3044.t2806] dsssl.error verify_server_cert_callback : Certificate Verification Failed : error:unable to get local issuer certificate depth:0 errorno:20 (DSSSLSock.cpp:1588)
20190905201118.880224 pulsesvc[p3044.t2806] dsssl.info log_cert_info : Subject : OU = Domain Control Validated, CN = *.myvpn.net (DSSSLSock.cpp:1555)
20190905201118.880269 pulsesvc[p3044.t2806] dsssl.error SSL_connect failed. Error 1 (DSSSLSock.cpp:1834)
20190905201118.880305 pulsesvc[p3044.t2806] connect.error dshttp connect to co.myvpn.net failed with error 536875113 (ncp_dsssl.cpp:240)
20190905201118.880318 pulsesvc[p3044.t2806] main.error SSL connect failed. Error 536875113 (ncp.cpp:2026)
20190905201118.880335 pulsesvc[p3044.t2806] conn.info cleanup 0 (ncp.cpp:1599)
20190905201118.880355 pulsesvc[p3044.t2806] writer.error thread exit (ncp.cpp:2131)
20190905201118.880413 pulsesvc[p3044.t3044] ncphandler.info Unable to connect IVE. Error 20001069 (ncphandler.cpp:261)
20190905201118.880437 pulsesvc[p3044.t3044] session.info disconnecting from ive co.myvpn.net with reason 6 (session.cpp:633)
20190905201118.880447 pulsesvc[p3044.t3044] adapter.info closing tun adapter FFFFFFFF (adapter.cpp:1137)
20190905201118.880455 pulsesvc[p3044.t3044] dsxp.info isRegistered returned false for 0x12405c0 -1 (dsio.cpp:992)
20190905201118.880462 pulsesvc[p3044.t3044] dsxp.info isRegistered returned false for 0x1238aa0 -1 (dsio.cpp:992)
20190905201118.880469 pulsesvc[p3044.t3044] sysdeps.info restoring DNS settings... (sysdeps.cpp:1000)
20190905201118.880483 pulsesvc[p3044.t3044] session.info  Session Terminated. Removing ip6tables entries  (session.cpp:671)
20190905201118.880500 pulsesvc[p3044.t3044] session.info Executing '/sbin/ip6tables -D INPUT -j DROP -m comment --comment nc_client >/dev/null 2>/dev/null'  (syscmd.cpp:445)
20190905201118.881862 pulsesvc[p3044.t3044] session.info /sbin/ip6tables status 0x100 (syscmd.cpp:542)
20190905201118.881895 pulsesvc[p3044.t3044] session.error Failed to execute command /sbin/ip6tables -D INPUT -j DROP -m comment --comment nc_client >/dev/null 2>/dev/null. DSSysCmd::executeAndWait returned 256. (session.cpp:1461)
20190905201118.881919 pulsesvc[p3044.t3044] session.info Executing '/sbin/ip6tables -D OUTPUT -j DROP -m comment --comment nc_client >/dev/null 2>/dev/null'  (syscmd.cpp:445)
20190905201118.883343 pulsesvc[p3044.t3044] session.info /sbin/ip6tables status 0x100 (syscmd.cpp:542)
20190905201118.883380 pulsesvc[p3044.t3044] session.error Failed to execute command /sbin/ip6tables -D OUTPUT -j DROP -m comment --comment nc_client >/dev/null 2>/dev/null. DSSysCmd::executeAndWait returned 256. (session.cpp:1468)
20190905201118.883406 pulsesvc[p3044.t3044] session.info Executing '/sbin/ip6tables -D FORWARD -j DROP -m comment --comment nc_client >/dev/null 2>/dev/null'  (syscmd.cpp:445)
20190905201118.884787 pulsesvc[p3044.t3044] session.info /sbin/ip6tables status 0x100 (syscmd.cpp:542)
20190905201118.884823 pulsesvc[p3044.t3044] session.error Failed to execute command /sbin/ip6tables -D FORWARD -j DROP -m comment --comment nc_client >/dev/null 2>/dev/null. DSSysCmd::executeAndWait returned 256. (session.cpp:1475)
20190905201118.884859 pulsesvc[p3044.t3044] ncphandler.info teardown done (ncphandler.cpp:354)
20190905201118.886229 pulsesvc[p3044.t3044] ncp.error ncpCleanup for IVE co.myvpn.net (ncp.cpp:766)
20190905201118.886324 pulsesvc[p3044.t3044] session.info disconnected from ive co.myvpn.net with reason 6 (session.cpp:717)

Any thoughts about what might be the problem here?

1 REPLY 1
Highlighted
Moderator
Moderator

Re: Can connect in Mac but not in Ubuntu

Hello,

This issue is caused due to the certificate presented by the VPN server is not trusted by the Ubuntu Client.

 

Dynamic trust (accepting untrusted SSL certificate) is not available for Linux client (available in Windows and Mac), hence certificate signed by untrusted CA or not having proper chain will not be accepted by Linux clients. Below log snippets shows that the client is able to validate the trust chain of the VPN certificate:

20190905201118.880171 pulsesvc[p3044.t2806] dsssl.error verify_server_cert_callback : Certificate Verification Failed : error:unable to get local issuer certificate depth:0 errorno:20 (DSSSLSock.cpp:1588)
20190905201118.880224 pulsesvc[p3044.t2806] dsssl.info log_cert_info : Subject : OU = Domain Control Validated, CN = *.myvpn.net (DSSSLSock.cpp:1555)
20190905201118.880269 pulsesvc[p3044.t2806] dsssl.error SSL_connect failed.


Based on the error, it seems the intermediate CA certificate is not installed on the VPN server (confirmed it using SSL checker)

Please follow the below KB to resolve this issue and note the change has to be implemented on the VPN server not on the Ubuntu Client. Please forward the same to the VPN admin if you're not managing the server.

KB40278 - Pulse Secure Desktop for Linux fails to establish VPN connection with error message "Certificate Verification Failed"

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40574.

Thanks,
Ray.