Re: Upgraded 1000 users to 6.0R3.1 - got over 200 ...

Jickfoo_ · ‎01-23-2008

Just to share my experiences...

I upgraded my IVE 6000 pair to 6.0R3.1. I had it set up to automatically upgrade users as they came in. If someone knows of a better more gradual way to upgrade, please let me know.

About 20% of the users had serious problems with the upgrade. Problems were all over the board. The 23971 error, 'Access to Secure Gateway Denied' was prominent. Some people complained of drops or errors with Host Checker.

I've been slowly getting around to calling users and helping them through these problems. Usually a complete uninstall and reinstall of all products Juniper will resolve the issue. I wish Juniper had an option to uninstall previous versions during the auto-upgrade. Many people are still waiting for a solution.

All I can say is Thank God I have a backup IPSec VPN. I'd love to get rid of it, but we've been on NetConnect for 2 years now and it hasnt happened yet.

Not very happy and sometimes longing for the days of a nice fat stable client.

Justin

Automate_ · ‎01-23-2008

Hi Justin,

Sorry to hear about the troubles! What version were you upgrading from?

Thanks

-Keith

keith_ · ‎01-24-2008

I had a similar problem with a client who just upgraded. Several users weren't able to access Citrix through the IVE as a result. But by getting the users to delete the temporary internet files on the browser, and also uninstalling previous versions of Juniper applets, (eg SAM), most, if not all users seemed to be ok from then on.

Keith M

JW_ · ‎01-24-2008

Thanks for the update. I was worried that might be the case.

I am on 5.5 at the moment, having problems with NC and Juniper advised to go to latest release of 6.

I'm not touching it until I know that I can do this in a controlled and tested way.

I was thinking about it until I read your post.

joepope_ · ‎01-25-2008

JW:

I use NC and had no problems with firmware 5.5R4. Today I upgraded to 6.0R3.1, so far (fingers crossed) no problems

with NC or Citrix.

I had installed 6.0R1 on my SA4000 cluster and had numerous problems with Citrix connections. I had to back out back to

5.5 and it wrecked my cluster. I was luck that one member was still in fair shape. I have noticed that reverting back to a

full version (6 to 5) is a real pain and may cause problems.

Be careful and good luck!

Jickfoo_ · ‎01-27-2008

Previous version was 5.4 R ?? Something.. Personally I dont think it matters much. This is the second NetConnect upgrade I've been through and they have both been nightmares.

I am at the point now where the people I still can't get in are dial up users. The uninstall/reinstall simply doesnt work. I plan on e-mailing them the installers. My theory is that it takes so long for the auto-installs to download that some kind of timeout happens on the client.

I have a case open with support but so far they haven't been much help.

I have 2 different case owners insist that the problem was related to BonJour. (its not, I've checked).

Justin

Message Edited by Jickfoo on 02-19-2008 05:48 AM

Paul_Slager_ · ‎01-29-2008

Jickfoo,

Do all of your clients have the Juniper Installer service installed on their machines? I am sure you have already been over this but if your users don't have admin rights over their machines then they need the installer service to safely upgrade to newer versions. Another possible thought is pushing out the latest installers through Group Policy, sorry to hear about your troubles.

Jickfoo_ · ‎01-31-2008

Just an update, our problems continue..

I have several users whose Notes replications fail midstream for reasons I dont understand. I did a TCP dump and there are lots of retransmissions and errors. I am looking into trying NCP instead of ESP but from what I understand it is much much slower.

I didnt intentionally install the Installer service on anyone's machine.

I'd love to take Host Checker out of the mix but I doubt its really the cause of my problems. I only use it to verify that the computer is owned by our company. I was messing around with Radius the other day and may be able to have radius check to see if a computer account exists on the domain during login. If I could get this to work, I wouldnt need host checker.

Things are still bad. More to come.

Any Juniper guys want to pitch in a help ? Its case number 2008-0121-0413. Looking for all the promised post sales support I've heard about. So far havent heard back from my SE.

If it sounds like I am bitter its because I am.

Message Edited by Jickfoo on 01-31-2008 07:38 AM

Automate_ · ‎01-31-2008

Hi Justin,

Looking through that case I can understand your frustration. There's a case transfer request in there that looks to be the source of some of the issue. Was this done through the Web? The "transfer case" button doesn't escalate - it just re-queues the case in the event the original engineer is out of office (we've had some confusion on that). I'll contact you offline to gain more insight.

Any time you feel the need to escalate, just ask for the duty manager instead. It should work better than posting here

I will work with the JTAC team to get proper escalation on the separate issues.

Stay tuned.

-Keith Redfield

Director, eSupport

Jickfoo_ · ‎02-19-2008

The users getting a 23791 were just about all dial-up users. We have a global dial program with MCI and we limit where people can go when then dial-up. (Basically we want them to connect to us, so we restrict their dial access to our public network only. This way they are forced to login to VPN, which then allows them back out to the Internet, but all activity is tracked by our URL Filtering and Reporting system.)

The problem was that during login, clients were going out to crl.verisign.net to check the status of the certificate. Our dial policy didnt allow them to get there which is why they got 23791. By the way, 23791 almost always means something is being blocked. JTac found 2 IE Settings they believe were causing the issue.

In IE, under Internet Options, Advanced, there are two options that were making this happen:

Check for publisher's certificate revocation.

Check for server certification revocation (requires restart)

To be safe we allowed all verisign.net networks in our dial-ip profile rather then shut these options off.

This resolved the majority of our problems. I still have about 20-30 users who are having weird issues. Specifically, Notes Replication, and trusted authentication simply does not work. These are very clean machines with stable Internet Connectivity. In the traces we see a variety of retransmissions that do not occur on our Nortel COntivity VPN, from the same client and ISP. To rule out conflicts we completely uninstalled Contivity and reinstalled Network Connect. The issues persisted. These same users worked just fine on previous versions of NetConnect. If anyone else has experienced retransmissions or problems with Trusted authentication please let me know.

Thanks,
Justin

Upgraded 1000 users to 6.0R3.1 - got over 200 problem calls

Upgraded 1000 users to 6.0R3.1 - got over 200 problem calls

Re: Upgraded 1000 users to 6.0R3.1 - got over 200 problem calls

Re: Upgraded 1000 users to 6.0R3.1 - got over 200 problem calls

Re: Upgraded 1000 users to 6.0R3.1 - got over 200 problem calls

Re: Upgraded 1000 users to 6.0R3.1 - got over 200 problem calls

Re: Upgraded 1000 users to 6.0R3.1 - got over 200 problem calls

Re: Upgraded 1000 users to 6.0R3.1 - got over 200 problem calls

Re: Upgraded 1000 users to 6.0R3.1 - got over 200 problem calls

Re: Upgraded 1000 users to 6.0R3.1 - got over 200 problem calls

Re: Upgraded 1000 users to 6.0R3.1 - got over 200 problem calls