I am trying to connect an iPad using the Junos Pulse client so a SA4000 running 7.1r5, so far I have managed to get it to connect. I can browse web sites using the intranet button. But when I try to get safari to connect the safari connection times out.I have also tried this with an RDP connection to a Windows Server with the same result.
I have enabled split routing and have in the subnet I require access to, (also added host ip as well). On the host PCs I am able to ping the iPad at the remote end of the VPN ok. The funny bit is if I add a static route to the host server eg. route add 192.168.2.0 mask 255.255.255.0 192.168.1.2 the rdp connection works. I have checked the router (default gateway) for the network has a route defined.
Am I going mad or is my in-experience of VPN's showing?
In normal desktop/laptop, with the same SA config (Split tunnel enabled), does it work as expected?
Also, in iPad, If you disable Split tunnel, Are you able to connect to RDP/ able to browse using Safari?
I have checked NC from a laptop and get the same result with split tunnel enabled, ie I cannot connect to the host with RDP. I can ping the host from the laptop ok, but not connect with RDP or to the web site on the server (or any server).
Again if I add a static route to the server RDP works.
Disabling spilt tunnelling made no difference.
Is the resource behind the SA or is it local network of the iPad? I think the routes may be getting mixed up since the route you stated you are adding is usually a local ip address 192.168.1.x and may be sending it directly through the physical adapter instead of the tunnel. If you can replicate this issue with the desktop version, can you try and get the "route print" before the connection and during the connection to see what it looks like.
The resource is behind the SA, interestingly I can connect to hosts on other sub nets just not the one the SA is connected to.
Also the SA is runnig 7.1r6 not r5 as previously stated incase this makes a difference.
It sounds like there is something wrong with the route table prior to pulse modifying it. Can you get the 'route print' before and during the pulse connection.
Which SA port: internal or external?If external, can you add a route on the internal port to send that traffic to the external port subnet out the internal interface?
Can you tracert from the iPad (I have seen free tools to do this on the app store) and confirm the first hop is your SA as expected?
Does tracert work on the system (Maintenance>Troubleshooting>Tools>Commands) to the failing IP?
Does this work on non-mobile devices?
When you do a TCP dump on the traffic, either on the SA or the device you are connecting to, what do you see?