Well, just got a SA-2500 and after a few days' work, still no luck with Network Connect. Please help:
This is a brand new box, running 6.4R1. I have followed the documentation and have been searching up and down to see what I have done wrong but still couldn't find the reason why I am getting error 23791.
I've tried two different machines and the results are the same. no luck. One machine is totally clean, i.e. no other vpn clients, ipsec, no firewall, no nothing. So the problem is on the server config.
On the SA-2500:
(1) Realm, source profile, connection profile, etc, etc have all been configured "correctly". As I said, I have followed the documentations and have read through many more knowledge base, but to no avail.
(2)Firewall: https and UDp4500 are allow the the SA-2500 host. I only use the internal port, external disable. The IP on the internal host sits on the same subnet as the IP Pool I define, i.e. internal host: 192.168.59.x and the IP Pool is 192.168.59.100 to 192.168.59.110 (this will need to change once network connect works). Doing thiis pool to avoid any routing issue for now. Host checker works but is turn-off for now. The only thing I still have question is the 10.200 server IP address for network connect. I left it alone.
Atb this point I am really lost. Been doing VPn with Cisco, and Citrix CAG, I thought Juniper may be better but now i have a second thought. Either i am too dumb )most likely ) or ...
Please help. I know more info is needed in order to see where the poblem is.
Thank you in advance for any help/direction or pointer.
More info just in case: no problem on netwok connectivity. I've configured OWA 2003 and put up a web link for our intranet. Both works fine from the net coming in.
well here is the way the network connect IP works
you define the 10.200 ip address on your network router and tell that all your network connect ip hosts are behind this ip address. So when a user does network connect the network will know where to send the return traffic.
have you looked at the debug log on the client to see if it gvies you any hints?
also did you define the ip pool in the virtual system profile and users - > network connect - > nc connection profiles?
Thank you for your help.
Well, after posting my messages, I decided, what the heck, to reboot the system and without changing a thing, client getting Ip address and network connect works. Since it's working , I've changed the IP pool to a different subnet and on my backend router I added a static route: if going to IP pool addresses use the SA2500's internal IP (which is visible on my router). Now since it's working, my question now is about your comment on the 10.200 address since it's not visible on my router. How to route to the IP pool with a route point to the 10.200 address which is not visible?
ANother question about Juniper SA. At the beginning I counld't (believe me, I nearly pull all my hairs out) authenticate via AD group. Last resort, I reboot the thing and it starts to work. ANd now this network connect reboot. I am wondering if this is only me or if this is common practice when working with Juniper SA SSLVPN? This is really getting out of hand if I have to reboot/restart services so often.
I don't recall ever needing to reboot our SA's after a config change. We've been using them for years without issue. I would recommend learning the troubleshooting features on the box (i.e. Policy Tracing, etc). This is similar to a debug in Cisco and comes in handy in times like these.