We have a MAG-SM160 cluster running 7.1R1 I'm having trouble getting a VPN to work. I suspect it's something embarrassingly stupid. Network Connect Access Policies 1 initial allow *:* applies to joe 2 local allow 192.168.0.0/16:* applies to joe 3 vlan1 allow 192.168.4.0/24 applies to joe,users connection profile - test-profile ip addresses 192.168.92-125-192.168.92.126 applies to role joe User Realms joe - when username is joe assign role joe users - when username is "*" assign role users Roles - joe overview - network connect enabled, junos pulse selected restrictions - allow from any ip address vlan source ip - vlan = internal port ip (only choice), source ip = interface ip (192.168..92.132) (only choice) network connect - client = pulse, split tunnel disable, route override yes junos pulse - connections default - allow user connections connection name SA - allow user override, this server, automatic connect junos pulse - components default component set (188.8.131.5291), minimal components network settings - network connect ip address filter "*" network connect server ip address 192.168.92.135 Our network is basically on the Internet with some filtering (names and numbers changed here to protect the guilty). So there's no NAT or routing, and the VPN internal and external addresses are in different subnets of our internet address space. The MAG is supposed to be giving remote clients a corporate IP address and bypassing the SMB/NFS filtering, with some limits on what they can connect to. If I logon as joe with role joe, I can run ssh sessions, access NFS shares etc. So the basic networking is OK - the MAG can talk to our local network. If I run either network connect or Junos Pulse (at least on a Vista client), it connects and modifies the local routing table as expected, giving the client end of the VPN tunnel an address out of the small pool (i.e.. 192.168.92.126). I can then continue to talk to the MAG over HTTP, and ping its various IP addresses (the internal and external addresses of the cluster members as well as the cluster addresses). But I can't ping anything else, either on our corporate network or outside (at least with split tunnel disabled). It looks like an ACL issue, but I have a wildcard "allow" rule on network connect. Apart from this basic problem, I'm also wondering what the "network connect server ip address" does, and what it should be set to. If I try a traceroute from the client, that shows up as the first hop but subsequent hops time out.
... View more