Hi Mark,

Can you attach a policy trace.

Regards,

Jai

Are any of your roles flagged to stop processing on match?

Also check the order of your role evaluation.  And make sure that there are no conflicts with the applied policies if they happen in a particular order.

Jai,

Here's a trace that I did while it wasn't working.

Mark

Steve,

I have no stop in my role mappting and also checked multiple times and saw no conflict. 

Mark

Mark,

check if the role mapping works connecting via browser and not pulse to see if issue is restricted to pulse.

I do not see the policy trace attached..

Regards,

Jay

Jay,

I get the same issue going through my browser. What i've noticed is I have 3 subnets 10.226.0.0/20, 10.227.0.0/20, 10.228.0.0/20. If i group them into one access contral and split tunneling network then i'm able to connect without any issues and can have additinal role mappings 3 or more. 

info - [172.16.30.206] - SUPREME\ismxp10(HQ_Admins)[.Administrators] - 2014/06/27 14:59:03 - MAG-N1 - supreme\markpweb:HQ_USERS - Policy Tracing turned on
info - [173.166.1.226] - markpweb(HQ_USERS)[] - 2014/06/27 15:00:04 - MAG-N1 - NTLogin(172.16.4.1, SUPREME\markpweb, SUPREME, junipervpn, no, , yes, 1, 15, kocmag01 Computers)
info - [173.166.1.226] - markpweb(HQ_USERS)[] - 2014/06/27 15:00:04 - MAG-N1 - Use any auth protcols
info - [173.166.1.226] - markpweb(HQ_USERS)[] - 2014/06/27 15:00:04 - MAG-N1 - Performing winbind based Authentication...
info - [173.166.1.226] - markpweb(HQ_USERS)[] - 2014/06/27 15:00:04 - MAG-N1 - Fetching machine config from ntjoinserver for domain SUPREME is successful
info - [173.166.1.226] - markpweb(HQ_USERS)[] - 2014/06/27 15:00:04 - MAG-N1 - Winbind Authentication status 0(NT_STATUS_OK) for user markpweb
info - [173.166.1.226] - markpweb(HQ_USERS)[] - 2014/06/27 15:00:04 - MAG-N1 - NTLogin done.
info - [173.166.1.226] - SUPREME\markpweb(HQ_USERS)[] - 2014/06/27 15:00:04 - MAG-N1 - Authentication successful to auth server "KOCAD"
info - [173.166.1.226] - SUPREME\markpweb(HQ_USERS)[] - 2014/06/27 15:00:04 - MAG-N1 - Getting directory information from auth server "KOCAD"
info - [173.166.1.226] - SUPREME\markpweb(HQ_USERS)[] - 2014/06/27 15:00:04 - MAG-N1 - Groups Search with LDAP Disabled
info - [172.16.30.206] - SUPREME\ismxp10(HQ_Admins)[.Administrators] - 2014/06/27 15:02:32 - MAG-N1 - supreme\markpweb:HQ_USERS - Policy Tracing file downloaded for user 

Hi,

Seems like issue is caused by the number of vpn tunneling ACL's and split tunneling rules it has to process.

Server side debugging will be needed to debug this so I would recommend opening a case with JTAC.

Regards,

Jay

I'm not sure I follow your comments.

I have 3 subnets 10.226.0.0/20, 10.227.0.0/20, 10.228.0.0/20. 

 Are these split tunnel subnets to access resources on your internal network?

Or are these address pool subnets you are assigning to connected users?

Steve/Jay,

The subnets aren't the problem. I was able to reach all my resources using a local system account on my SA appliance.  It seems like the group search are what's failing using my Active directory Realm. I do have a case open with JTAC but if you guys have any ideas, please let me know.

Mark