Solved: Re: no inbound traffic to pulse client

em_platinum_ · ‎12-31-2013

I am considering purchasing a MAG6610/SM160 to run in SSL VPN and am using the SA DTE VM for eval purposes. I am currently trying to get the Pulse Client to work but am not receiving any traffic back to the client.

My internal network is made up of multiple VLAN's within 10.10.0.0/16 (10.10.1.0/25, 10.10.10.0/24, etc), all routed on the core switch. Here's the configuration I am trying to make work right now

SA 8.0R1 software

internal port IP: 10.10.1.11

Internal port subnet: 255.255.255.0

internal port gw: 10.10.1.1

VPN Tunnel Server IP Address: 10.10.1.12

authentication against AD is configured and working

split tunnel: disabled

IP pool given out per VPN tunneling policy: 10.10.1.10-10.10.1.30

Junos Pulse client connects and I am asked to authenticate which I do successfully with my AD credentials. I am given an IP of 10.10.1.10. I then try to ping internet traffic, or internal IP of 10.10.10..10 and get no response. The client shows traffic out but nothing in.

From an internal routing standpoint, the default gateway that the SA uses for the internal port handles all routing between VLAN's and out to the internet, so I was expecting this to all just work as-is, but no luck.

em_platinum_ · ‎01-02-2014

@jayLaiz wrote:

can you check http://kb.pulsesecure.net/KB26381

Regards,

Jay

Bingo! That was it. I specified a new IP range not in use anywhere in my network and put the route for that range back to the SA's VPN Tunnel IP Address and everthing works like a charm!

View solution in original post

jayLaiz_ · ‎11-25-2009

can you check http://kb.pulsesecure.net/KB26381

Regards,

Jay

jayLaiz_ · ‎11-25-2009

Hi,

What if you make the subnet mask on the internal port on SA as 255.255.255.128 which is in 10.10.1.0/25.

If SA/MAG internal port is 10.10.10.11/24 and vpn tunelling IP is 10.10.1.10-10.10.1.30

Add a route on switch as destination10.10.1.0/25 with the next hop as the 10.10.10.11(internal port ip of SA/MAG)

Regards,

Jay

em_platinum_ · ‎12-31-2013

My initial problem is no longer an issue. I had some other software causing routes from Pulse client to not get propulated to my machine properly.

However, now that my "easy" configuration works, I'm trying to make things a little more complex and am having the same issuew with no inbound traffic

All of the info in terms of network configuration is accurate from my first post. But now I want to give out different DHCP ranges other than the same subnet the SA internal port is on. For example:

-SA Internal port is 10.10.1.11 and VPN Tunnel Server IP is 10.10.1.12

-Connect Profile is set to give out DHCP range of range of 10.10.200.10-10.10.200.250

With this configuration, I can't hit any internal resources. 10.10.200.0/24 is another physically connected VLAN on my core switch (along with 10.10.1.0/24 and 10.10.10.0/24. All of these VLAN's can talk to each other from within the network without any issue, but when I configure the SA to give out different DHCP range than the Internal port of the SA, I can't communicate from my machine with Pulse on it.

em_platinum_ · ‎01-02-2014

@jayLaiz wrote:

can you check http://kb.pulsesecure.net/KB26381

Regards,

Jay

Bingo! That was it. I specified a new IP range not in use anywhere in my network and put the route for that range back to the SA's VPN Tunnel IP Address and everthing works like a charm!

AntonyThomas · ‎09-28-2016

Updating the KB article Link

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB22611

zanyterp · ‎10-06-2016

I am sure this has been resolved, but to confirm, the routes are in place to send connections for the IP range to the PCS internal port?
Are you needing VLAN tagged traffic to use that connection?