cancel
Showing results for 
Search instead for 
Did you mean: 

Pulse Secure to SRX on Win7 (win2k8R2) issues

Regular Visitor

Pulse Secure to SRX on Win7 (win2k8R2) issues

Cannot connect to SRX240H2 Dynamic VPN using pulse secure client on Win7 or Win2k8R2 Server. MacOS, Win8.1, Win2k12R2, Win10 clients work fine.

The client shows error 1453, windows system log shows Secure Channel errors (event id 36874, 36888, 36887). The SRX httpd log shows "httpd: 2: "Comms Error", code 550: Communications read error". The SRX is reachable and shows dynamic VPN service page if accessing it from browser.

JunOS 12.3X48-D65.1
Pulse Secure Client 5.3r1.0-b587

Any advice on debugging this will be appreciated.

 

UPD: After digging into tcpdump I've noticed that Pulse Secure client on Windows 7 is trying to negotiate with SRX using TLSv1 which is disabled in latest JunOS, then it tries to failback to SSLv3 which Windows doesnt seem to like - in the end connection fails. Is there any way to force Pulse Secure to use TLSv1.2 on Windows 7?

 

UPD2: Confirmed that Pulse Secure client uses TLSv1.2 by default on Windows 8 and 10. Why its behaviour is so different on Windows 7 and 2008R2?

4 REPLIES 4
New Contributor

Re: Pulse Secure to SRX on Win7 (win2k8R2) issues

bump...

 

I think I'm having the same issue. Any help out there? 

 

Thanks

New Contributor

Re: Pulse Secure to SRX on Win7 (win2k8R2) issues

Figured it out. Check this link if you're having the same problem. 

https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-s...

New Contributor

Re: Pulse Secure to SRX on Win7 (win2k8R2) issues

Senior Member

Re: Pulse Secure to SRX on Win7 (win2k8R2) issues

Thank you for providing this information. This is a scenario that we encountered as well with an SRX220H2 on 12.3X48-D75.4 with Pulse Secure 5.1.5. In order to fix it, we followed the Microsoft article (at https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-sec...) by installing the Easy Fix file and adding the two registry keys per "Enable TLS 1.1 and 1.2 on Windows 7 at the SChannel component level" (see below).

 

For TLS 1.1
Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
DWORD name: DisabledByDefault
DWORD value: 0

For TLS 1.2
Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
DWORD name: DisabledByDefault
DWORD value: 0