Are the other devices like Windows, Android able to connect to the VPN normally? Does the "connection error" comes after authentication or after clicking on the connect button? What do you see on the pulse mobile client logs at that timestamp? Please paste the relevant log snippets. ... View more

Can you send the MSI install logs to me for a quick review? ... View more

" No rules are configured for the Mac platform", it seems that the enforced Host checker policy does not have any valid rules/checks configured for Mac machines, which is causing the connection attempt to fail.   Please check with your VPN administrator for correcting the host checker policy, as it's a misconfiguration on the VPN server side. ... View more

VPN server will use Internal port to source the egress traffic. Client can use the External port to connect to the VPN server, however, the traffic initiated by the client will be forwarded to the internal network using the Internal port.   Client traffic >> Internet >> DMZ >> External port >> VPN >> Internal port >> Intranet/Intranet.   Please allow the Internal port of the VPN server (resides at the DMZ) to communicate with the Internet/Intranet zones, so that, the VPN clients can connect to Internet. ... View more

Use NSlookup when connected to 3G network to get the public IP of the VPN server and try to connect using the IP address instead of hostname. ... View more

1. Install and open Pulse Desktop Client (see PM). 2. Click on the plus sign (add) to add a new connection. 3. Give it a name and enter the correct VPN server URL >> Add/Connect. ... View more

Hmm... Inconsistent behaviour (access works after several connects/disconnects) is what I have seen with Windows Secure Application Manager (WSAM) when used in Windows 1809. It seems that you're using WSAM client, aren't you? If yes, please switch to Pulse Desktop Client to resolve this issue. ... View more

Not certainly. Any chance on providing the debug logs for review? ... View more

Hmm... WiFi gets toggled (disabled - enabled) when connecting using Pulse Client.. but ethernet works without any issues. Interesting! Can you provide me the pulse client logs for review? Please follow the below steps: 1. Open pulse client. 2 File -- logs -- log level -- detailed 3. File -- logs -- annotate -- type any text string like test1. 4. Replicate the issue by connecting using the client. 5. Wait for the WiFi to get toggled. 6. File --- logs --- save as -- save the zip file and share it with me. ... View more

Hmm... If the issue sporadic.. then the ACL on the VPN server should be fine. If you have access to the backend RDP server, please check the value of the security layer under Windows registry settings. Open regedit using Run >> Navigate to HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. Check for “SecurityLayer” value. ... View more

Did the RDP access work before?   Are the users trying to access an admin created bookmark (connection name will be in bold) or trying to access a user created one?   From my experience, it was never a client issue. Settings on the VPN server (Firmware version, ACL, NLA status) or on the backend RDP machine (NLA security layer value) could cause this error message.     ... View more

Are you using ethernet connection along with Wi-Fi?   Does the VPN connection gets connected successfully and after successful VPN connection, Wi-Fi adapter gets toggled?   Do you need to disconnect from the VPN, in order to enable back the Wi-Fi?   What happens if you use a different laptop to connect to VPN? Is the behavior same?     ... View more

Hi Starvos, Please try to capture debug logs on the SRX device as well, along with the packet captures. @zanyterp: Will the SRX debug logs be encrypted, like the Pulse Secure device? Thanks, Ray. ... View more

Hi Stavros,   Thank you for the response.   I understand. Please update the thread once you have the files for review, will wait for your update.   Thanks, Ray. ... View more

Hi Stavros, Start detailed level logging on the Pulse client, annotate with any random text string, capture the traffic on client machine using wireshark (also on SRX device, if possible) and try to replicate the issue. You can annotate with different strings for different attempts, so that, i can focus the correct one. Send me the packet dump(s) and pulse client logs for review. Thanks, Ray. ... View more

I believe it's called OpenConnect client which can be used to connect to Pulse Secure server from a Linux machine not Cisco's AnyConnect! Is that correct? One setting (I know), which does this type of blocking is the browser (user agent) based restrictions enforced on the user realm. Take for example, you can configure the user agent string as *Pulse-Secure* Under, Users --- User realms --- Authentication policy --- Browser --- enter the pulse secure client string --- Allow. Which causes all the clients except pulse client including web browsers and OpenConnect client from connecting to VPN. Note: If we can pass custom user agent as Pulse-Secure using OpenConnect client initiated connections, which is like potentially masquerading the connections as they're coming from the Pulse Secure client, then the realm level restrictions will not work. Keep that in mind. ... View more

Hi JC, "Access denied" seems to be sent by the NFS server not by the VPN server... Does the Win10 machine and the user account has permission to access the share drive? Please capture the traffic using wireshark on the windows 10 machine while mapping the network drive and share it for review. ... View more

From the logs, it seems that the "uiProvider" (one of the plugin) is not registering properly, hence it will not be initialized/loaded. How the pulse client was deployed to the user machines? What behaviour is being exhibited by the pulse client, when the users attempt to launch and try to Connect? ... View more

Please refer to this KB article: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40430 for the Pre-requisites, Limitations.   To revert operation mode, there will be option called "Switch to Active Directory Legacy Mode" under Active Directory Selection section.   FYI, https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40251 ... View more

Hi @mantonini,   What happens if we exclude PulseSecureService.exe and HostCheckerService.dll file from the Antivirus realtime/on-demand scan engine?.   PulseSecureService.exe - C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe   HostCheckerService - C:\Program Files (x86)\Common Files\Pulse Secure\TNC Client Plugin\HostCheckerService.dll   If possible, please exclude the entire folder/sub-folders "C:\Program Files (x86)\Common Files\Pulse Secure" and check the behavior.   Thanks, Ray. ... View more

From my understanding, host checker applied on the realm level (require and enforce) will be checked before the user login and role level (evaluate) will be checked after user login. It's like pass this policy and I will provide a chance to login (realm) and pass this policy and I will provide you this role (Authorization). One convenient scenario, where role level host checker is used, when you would like to provide access(assign user roles) to somebody based on their compliance results i.e. if you pass - get full access, if you fail - get limited/quartined access. ... View more

What is the tunnel mode being used? L3 tunnel or SAM?   What type of applications will you be using after connected to VPN?     ... View more

What does the host checker checks for? Any error message displayed at last? Was it working before, since you said "a few days before".. any recent OS upgrades or configuration changes on MacBook? Set the log level to detailed, annotate with any text, replicate the issue (leave the checking compliance to run for few minutes) and share the logs (zip file) to see what's happening. ... View more

What is the Pulse Client version? (help > about) What type of VPN connection? ( When connected > right click on the connection name >> advanced connection details >> tunnel type? ) ... View more

@andrew.hughes Is the Pulse client UI status stuck at "Disconnected" even after providing valid credentials during the login? ... View more

@ggarcia is correct, Authorization (Role assignment) will be done after Authentication (tied to user realm). Hence, having role based MFA is not feasible. ... View more

Hmm.. User logs in to linux box using SSH through VPN tunnel (Pulse Secure), then opens "Midnight commander" application on the linux box and tries to access the files, it does not work... 🤔🙄   Will the application uses the IP address of the linux machine for further access? Quickly googling about the tool, reveals that it's a "visual file manager"... so are you trying to access or manage files of a different machine using the linux box?    Sorry, I may be wrong..! Please explain. ... View more