Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Jump in ESP to SSL transport failovers after going from 7.1R9 to 7.2R2

SOLVED
Go to solution
-red-_
Frequent Contributor
‎06-15-2012 07:18:AM
‎06-15-2012 07:18:AM

Jump in ESP to SSL transport failovers after going from 7.1R9 to 7.2R2

Just curious whether anyone else has noticed this. I have upgraded a couple of my clusters from 7.1R9 to 7.2R2. Since the upgrade I have noticed an influx of users showing up with SSL transport mode. Looking further into it, it appears the initial connection is established via ESP with every user failing over after 20 minutes (presumably when the next key exchange is supposed to occur.) This is happening with some, though not all users. But for those who experience it, it seems to be consistent. Saw this behavior with both Pulse and Network connect. I have not been able to isolate this down to a particular operating system, have noticed it occurring on Win7, XP and Vista.

Looking at the firewall logs I noticed UDP 4500 traffic corresponding with the initial connection, but no subsequent UDP 4500 is seen in the logs. I saw the KB regarding the config on the dlink routers. In polling my users we seem to have everything from dlink to netgear to linksys to checkpoint devices, so I'm not sure whether this is my problem. Going back over the logs prior to the upgrade, I've not see this behavior (at least no near as frequently)

I was planning to open a JTAC case, but wanted to see whether anyone else has seen this.

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
mtessier_
Frequent Contributor
‎08-01-2012 11:15:AM
‎08-01-2012 11:15:AM

Re: Jump in ESP to SSL transport failovers after going from 7.1R9 to 7.2R2

Yes, this issue was mentioned in the 7.2R3 Release notes under the fixed section. I was in the process of testing 7.2R2 out when this came out. I decided to skip to 7.2R3 specifically because of the NC issues.

 

4. cs-nc-enduser - NC users are connected via SSL instead of ESP after 16,383 NC tunnels. (787424)

5. cs-nc-enduser - After IPSec re-key time, the ESP session of the NC tunnel falls back to SSL if data packets were
sent the on the NCP control channel during the initial ESP tunnel establishment due to latency sensitivity.

(787470)

View solution in original post

0 Kudos
6 REPLIES 6
zanyterp_
Respected Contributor
‎06-15-2012 07:43:AM
‎06-15-2012 07:43:AM

Re: Jump in ESP to SSL transport failovers after going from 7.1R9 to 7.2R2

We have seen one other report of this behavior with 7.2R2.

Please open a case with JTAC for further investigation.

0 Kudos
-red-_
Frequent Contributor
‎06-15-2012 07:58:AM
‎06-15-2012 07:58:AM

Re: Jump in ESP to SSL transport failovers after going from 7.1R9 to 7.2R2

Just opened a ticket.

I have 4 clusters with essentially an identical configuration. only the ones running 7.2R2 are showing these symptoms..

This is very odd.

0 Kudos
zanyterp_
Respected Contributor
‎06-15-2012 08:00:AM
‎06-15-2012 08:00:AM

Re: Jump in ESP to SSL transport failovers after going from 7.1R9 to 7.2R2

It is odd (meaning that something unexpected may have happened with 7.2R2, not your environment); thank you for opening a ticket

0 Kudos
Yves_
Occasional Contributor
‎07-31-2012 06:35:AM
‎07-31-2012 06:35:AM

Re: Jump in ESP to SSL transport failovers after going from 7.1R9 to 7.2R2

We have the same problem with version 7.2r2.

 

What is the response of the JTAC?

 

Yves

0 Kudos
-red-_
Frequent Contributor
‎07-31-2012 12:47:PM
‎07-31-2012 12:47:PM

Re: Jump in ESP to SSL transport failovers after going from 7.1R9 to 7.2R2

Issue was identified, and appears to have been resolved as of 7.2R3

0 Kudos
mtessier_
Frequent Contributor
‎08-01-2012 11:15:AM
‎08-01-2012 11:15:AM

Re: Jump in ESP to SSL transport failovers after going from 7.1R9 to 7.2R2

Yes, this issue was mentioned in the 7.2R3 Release notes under the fixed section. I was in the process of testing 7.2R2 out when this came out. I decided to skip to 7.2R3 specifically because of the NC issues.

 

4. cs-nc-enduser - NC users are connected via SSL instead of ESP after 16,383 NC tunnels. (787424)

5. cs-nc-enduser - After IPSec re-key time, the ESP session of the NC tunnel falls back to SSL if data packets were
sent the on the NCP control channel during the initial ESP tunnel establishment due to latency sensitivity.

(787470)

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.