- Pulse Secure Community
- :
- About adaviel_
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
since
10-29-2017
10-29-2017
adaviel_
Occasional Contributor
11
Posts
0
Kudos
2
Solutions
05-25-2012
06:48:PM
Solved. We have two DHCP servers configured for active/inactive failover. The active one responds to a cluster address but replies come from the server's base address. Since I can SSH to the cluster address I had not realized this could be an issue. I changed the configuration on the MAG to use the base address of both DHCP servers. It sends DHCP discover and request to both but gets offer and Ack from only the active one and uses that.
... View more
05-25-2012
04:07:PM
(sorry for the delay - long weekend, other tasks) The DHCP server logs DHCPDISCOVER from 55:4e:32:00:00:00 (mypc) via 192.168.x.y DHCPOFFER on 192.168.79.254 to 55:4e:32:00:00:00 (mypc) via 192.168.x.y 192.168.x.y (sanitized) is the internal address of one MAG cluster member 192.168.79.254 (sanitized) is the client address allocated from the DHCP pool I see the same DHCP packets (discover, offer) in tcpdump on the MAG The MAG logs say VPN Tunneling: IP address cannot be allocated to user xxx. Solution: Check IP Address Pools / DHCP server state. I can't easily put the MAG and DHCP server on the same subnet; the MAG's internal and external interfaces are on two small VLANs on our router. We have a similar setup with WiFi access points which works with dhcprelay I just found something else to try relating to failover addresses on the DHCP server; more later if that works.
... View more
05-17-2012
01:34:PM
I don't see an error on the client - Junos Pulse just says "connecting" This version has system>network>VPN Tunneling (Network Settings) not "network connect" - IP filters to apply to VPN IP pools. The filter is "*". This range works when generated by the IVE itself. tcpdump on the IVE shows DHCP Discover from the internal interface of one cluster member to the DHCP server, and a DHCP Offer coming back
... View more
05-16-2012
07:04:PM
I have a working tunnel using Junos Pulse and an IP address pool. I want to use an external DHCP server instead (ISC dhcp-3.0.5 on Linux) I created a pool on the server, and set option 118 per KB23329 The server then issues a DHCP offer of a pool address e.g. 192.168.79.254, which I can see at the internal cluster interface. But the client does not accept the offer, or does not see it.
... View more
05-15-2012
07:04:PM
Thank you - although I missed your reply before solving it. "VPN address 192.168.126" was a typo - it was supposed to be 192.168.92.126. Looking again at this, I think we had the pool addresses in the same subnet as the external cluster interface not the internal interface. We have separate narrow VLANs for the connections from our BigIron router to the MAG, so the interfaces are not seeing our entire network. In any case, we changed to a bigger address pool like 192.168.79/24 and added a static route to the internal interface. This now seems to be working as expected
... View more
05-11-2012
05:01:PM
I think that's nailed it, thanks. Hard to tell as I need to manually remove the RapidSSL cert from the Java keystore and then reconnect, which is like proving a negative. I should try from a different fresh client. I will mark this as resolved, in any case. For the benefit of anyone else reading this thread, the solution seems to be to download the RapidSSL certificate bundle from https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem and install it as an custom intermediate CA on the MAG certificates configuration page.
... View more
05-11-2012
04:11:PM
That makes no difference. It doesn't make a lot of sense, either, as we don't use 10/8. I can see ICMP packets arriving on the target, and replies sent, but they do not make it to the client, or that I can see with tcpdump on the MAG, to the MAG chassis. I tried turning off Windows Firewall to no avail. If I ping from the target, I get replies from the MAG ports on 192.168.92.124 and 192.168.92.129, which makes me think I have a good route to 192.168.92/24, but not from the VPN address 192.168.126.
... View more
05-11-2012
01:25:PM
I don't quite follow you. I generated a CSR on the MAG, then sent that to RapidSSL. They provided a certificate, which I imported into the MAG (which is a webserver now with a key and a certificate). In both Firefox and Java on the client computer, the Global Trust CA root certificate is installed by default as a trusted authority. In Firefox, that is sufficient to validate the MAG webserver. In Junos Pulse, using the Java SSL library, it is not. I have to manually install, on each client system, the intermediate RapidSSL certificate into the Java keystore. If you mean can I give you the URL to our MAG appliance, yes, but I would rather not do so on a public forum. Is there a private message ability in these forums ? Else I'll just give my email.
... View more
05-11-2012
10:40:AM
No, that is a different issue, where the client is using a certificate for authentication. The issue I have is "cosmetic" only - the user can click "always trust this certificate". As a security officer I deprecate that, and besides, it's annoying to have paid for a commercial certificate that offers no advanatage over a free one from our own CA.
... View more
05-10-2012
07:19:PM
We have a MAG-SM160 cluster running 7.1R1 I'm having trouble getting a VPN to work. I suspect it's something embarrassingly stupid. Network Connect Access Policies 1 initial allow *:* applies to joe 2 local allow 192.168.0.0/16:* applies to joe 3 vlan1 allow 192.168.4.0/24 applies to joe,users connection profile - test-profile ip addresses 192.168.92-125-192.168.92.126 applies to role joe User Realms joe - when username is joe assign role joe users - when username is "*" assign role users Roles - joe overview - network connect enabled, junos pulse selected restrictions - allow from any ip address vlan source ip - vlan = internal port ip (only choice), source ip = interface ip (192.168..92.132) (only choice) network connect - client = pulse, split tunnel disable, route override yes junos pulse - connections default - allow user connections connection name SA - allow user override, this server, automatic connect junos pulse - components default component set (2.0.0.8491), minimal components network settings - network connect ip address filter "*" network connect server ip address 192.168.92.135 Our network is basically on the Internet with some filtering (names and numbers changed here to protect the guilty). So there's no NAT or routing, and the VPN internal and external addresses are in different subnets of our internet address space. The MAG is supposed to be giving remote clients a corporate IP address and bypassing the SMB/NFS filtering, with some limits on what they can connect to. If I logon as joe with role joe, I can run ssh sessions, access NFS shares etc. So the basic networking is OK - the MAG can talk to our local network. If I run either network connect or Junos Pulse (at least on a Vista client), it connects and modifies the local routing table as expected, giving the client end of the VPN tunnel an address out of the small pool (i.e.. 192.168.92.126). I can then continue to talk to the MAG over HTTP, and ping its various IP addresses (the internal and external addresses of the cluster members as well as the cluster addresses). But I can't ping anything else, either on our corporate network or outside (at least with split tunnel disabled). It looks like an ACL issue, but I have a wildcard "allow" rule on network connect. Apart from this basic problem, I'm also wondering what the "network connect server ip address" does, and what it should be set to. If I try a traceroute from the client, that shows up as the first hop but subsequent hops time out.
... View more
05-10-2012
06:17:PM
We have a MAG-SM160 version 7.1R1 I installed a commercial certificate from RapidSSL and associated it with the external cluster address. Firefox is happy. But when I connect with Junos Pulse, it gives a security alert saying that the site is untrusted. I can make the warning go away by installing the RapidSSL certificate in the Java keystore on the client, in addition to the preinstalled Global Trust CA parent certificate. This isn't a good solution forexternal users. Is this a known problem with Oracle Java, that I need to get a non-chained certificate instead ? http://wiki.zimbra.com/index.php?title=Installing_a_RapidSSL_Commercial_Certificate
... View more
Latest Tags
No tags yet
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy.
Pulse Secure has updated its Privacy Policy effective June 28, 2017.
