We are using dynamic VPN with SRX320. Normally connections do work, but there happens often so that Pulse app shows that connection is taken, but actually no access works. This problem occurs for many of our users. Often the case is reconnecting in morning etc. but sometimes connection totally fails. Any ideas what can cause this?
Client side information:
All use with Win10. Pulse Secure, Firewall SRX connection type. We have tried Pulse 9.1r6, r5, r4, r3.1, r2, 9.0r4 and 5.3r3 versions and all of those have had issues, so I can say that the problem is not a wrong Pulse release etc.
On Juniper side 'show log kmd-logs' in failure cases like this:
IKE succeeds:
Jun 11 10:21:49 OUR-FW kmd[2001]: IKE negotiation successfully completed. IKE Version: 1, VPN: DYNAMIC-VPN Gateway: DYNAMIC-VPN, Local: 123.123.123.123/4500, Remote: 80.81.82.83/17000, Local IKE-ID: 123.123.123.123, Remote IKE-ID: user123dynvpn, VR-ID: 0, Role: Responder
Jun 11 10:21:58 OUR-FW kmd[2001]: KMD_VPN_UP_ALARM_USER: VPN DYNAMIC-VPN from 80.81.82.83 is up. Local-ip: 123.123.123.123, gateway name: DYNAMIC-VPN, vpn name: DYNAMIC-VPN, tunnel-id: 67110011, local tunnel-if: , remote tunnel-ip: Not-Available, Local IKE-ID: 123.123.123.123, Remote IKE-ID: user123dynvpn, AAA username: user123, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=10.0.0.0/8), Traffic-selector remote ID: ipv4(any:0,[0..3]=172.20.16.1), SA Type: Static
After <60 seconds later IPSec fails:
Jun 11 10:22:54 OUR-FW kmd[2001]: IPSec negotiation failed with error: Timed out. IKE Version: 1, VPN: DYNAMIC-VPN Gateway: DYNAMIC-VPN, Local: 123.123.123.123/4500, Remote: 80.81.82.83/17000, Local IKE-ID: 123.123.123.123, Remote IKE-ID: user123dynvpn, VR-ID: 0
After <10min later:
Jun 11 10:32:14 OUR-FW kmd[2001]: KMD_VPN_DOWN_ALARM_USER: VPN DYNAMIC-VPN from 80.81.82.83 is down. Local-ip: 123.123.123.123, gateway name: DYNAMIC-VPN, vpn name: DYNAMIC-VPN, tunnel-id: 67110011, local tunnel-if: , remote tunnel-ip: Not-Available, Local IKE-ID: 123.123.123.123, Remote IKE-ID: user123dynvpn, AAA username: user123, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=10.0.0.0/8), Traffic-selector remote ID: ipv4(any:0,[0..3]=172.20.16.1), SA Type: Static, Reason: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared
Here are some snapshots of our configuration that are relevant:
IKE proposal:
lifetime-seconds 28800;
vpn DYN-VPN {
ike {
gateway DYN-VPN;
idle-time 72000; => Was not set ealier, but tried this too (to be removed?)
ipsec-policy DYN-VPN;
install-interval 3; => Was not set ealier, but tried this too (to be removed?)
gateway DYN-VPN {
ike-policy DYN-VPN;
dynamic {
hostname dynvpn;
connections-limit 25;
ike-user-type group-ike-id;
}
dead-peer-detection { => Was not set ealier, but tried this too (to be removed?)
optimized;
interval 10;
threshold 5;
}
Tunnel is configured as a split tunnel.
Should for example e.g. proxy-identies be configured also for Dynamic VPN? This is something we haven't yet tried as Juniper's dynamic VPN documentation show this (https://kb.juniper.net/InfoCenter/index?page=content&id=KB29364&actp=METADATA)
In 80% of cases (re)connection do work, but not always. We have already spent quite long time in solving this but the problem persists. Issue has been also reported to Juniper, but so far ticket has proceeded very slowly so all possible tips that you have are good.