We would be interested to find out the root cause and find out what broke in 7.2x code as we have had a couple of similar cases but could not get the logs we need as systems were immediately rolled back.The logs required would be a system snapshot with debug logging enabled for event code ipsec at level 20 and size 20,wireshark from NC adapter, SA TCP dump,route print output after NC connection and client side debug log with 7.2x code and corresponding set of same logs on 7.1rx code where it is working fine
We have tried replicating this in lab and could not replicate the same behavior so these logs above will help
Please do let us know when you again plan to upgrade to 7.2r3 code, we can maybe take a small downtime and troubleshoot and collect logs for engineering to debug the issue, when you plan to do that, please open a new case and inbox me the JTAC case number.
Hi Juniper Guy,
Could you please let me know if the NC IP pool is in a different subnet to your internal network and if you have a route on the firewall with destination as the NC IP pool subnet and gateway as the Cluster internal VIP IP(if the device is in a cluster)
Not sure if you had the same issue I did but in the Configuration->System ->Network->VPN Tunneling page there is a horribly worded "VPN Tunnel Server IP Address" with that weird IP address of 10.200.200.200 or something.
What this field should say is "Default gateway of Network Connect clients" or something better since there is almost no documentation for that section.
This should be the the gateway of the subnet that connects the SA device to your client pool. I have no idea why they have that 10.200.200.200 or whatever IP address in there, but if you don't set it correctly, its by some miracle that NC would even work with this version.
Let me try to clarify this..
My SA device is using 10.120.5.5 for the internal port.
Under the resource profiles for VPN tunneling, I created a connection profile, created an IP address pool using 10.120.6.2-10.120.6.254.
I set a static route in my core router that looks something like: ip route 10.120.6.0 255.255.255.0 10.120.5.5
Therefore, my VPN Tunnel Server IP Address is set to 10.120.6.1 and all is well with NC clients routing.
Hope this helps...
We also had issues with an upgrade to 7.2, we managed to deeply troubleshoot the issue with Juniper Support. As a result they released a new KB : KB26381
"[SSL VPN/MAG] Network Connect users are unable to access internal resources after upgrading to 7.2RX or higher versions"