cancel
Showing results for 
Search instead for 
Did you mean: 

Network Connect timeouts or fails to connect

Highlighted
Contributor

Network Connect timeouts or fails to connect

Customer is running NC 7.3 off IVE version 7.3r7.  Seemingly at random, the NC connections got to "Connected" state but endpoints are not reachable for some time, often up to 10 minutes after connecting.  After this, the connection works for a while but will sometimes lose reachability, but it can be re-established by generating some more traffic (e.g. pings) to protected resources.

NC is configured for SSL, not IPSec.  We have seen this on clients running Win7 64-bit and Vista 32-bit.

I don't believe this is a session timeout issue.  The problem appears right after user login (as NC is auto-launched), and the role session timeout is set to 479 minutes.

Has anyone else seen this issue?  Are there any other settings we can check on the IVE or in NC that could be implicated?  If I generated some client-side logging, what might indicate an issue there?

3 REPLIES 3
Highlighted
Super Contributor

Re: Network Connect timeouts or fails to connect

Have ISP issues been ruled out ? Does it happen on a different ISP ? Is the user on wireless ? Does it happen on wired ?

If all else fails you can try my uninstaller tool. It removes all NetConnect Components. After it runs have the user reboot and relogin. The components will then reinstall. I've seen this fix a variety of weird NetConnect issues.

Tool is posted here:
http://forums.juniper.net/t5/SSL-VPN/Updated-Uninstaller-of-all-SA-PC-Components-GoAwaySa-V2/td-p/20... 


Highlighted
Super Contributor

Re: Network Connect timeouts or fails to connect

ah, so something upstream is dropping the traffic. Tracerts can be good at determining that. I also do a lot of telnetting to tcp ports at different spots along the way to the destination.  Work backwards from the destination hop by hop until it fails. Stuff Im sure you know.

Anyway, best of luck.

Highlighted
Contributor

Re: Network Connect timeouts or fails to connect

Hi Jickfoo

There is no ISP or wireless involved (though no reason you should have known that).  The SAs are deployed inside a secure customer zone inside a data centre where we require various security controls on our own client PCs before they are allowed to go anywhere near the customer systems and data.

But you're right, essentially.  We can see traffic going out of the SA boxes when we try to connect through NC (with tcpdump), but somewhere inside the data centre networks, it is being dropped.  We have been working with the data centre network and security teams to diagnose and fix.  For quite a while...