Hi Jeff... I find this quite interesting as we have a fair number of SRX deployed with a limited number offering Dynamic VPN.
I just checked an SRX210 running 10.2R3.10 that we were planning to upgrade to 10.4R4.5 as per Juniper recommended release. It does not have this issue and the dynamic VPN works quite well. We had a ticket running with Juniper for quite a while on the "multiple logins" problem - our users are pretty used to entering their credentials twice each time they connect however I was informed today that they haven't had to do this in quite some time (we have no idea why). On that particular SRX210 we do have "local logins" working with no Radius server - there was a lot of JTAC confusion that this wasn't supported but after 2 months of wrestling we got it working just fine. In fact, we don't have any Dynamic VPN's running with Radius servers to date. I did notice on the 10.4R4.5 and higher releases (someone might correct me on the exact release it was introduced) that local IP pools are now functional - this is a major feature that should have been incorporated since the first release in my opinion. This is all using the Access Manager client - we have not had very good reliable success with Pulse neither which is too bad as it seems like it *will* be a much nicer client to work with. Most of our customers we have on SA platform which works extremely well including IPhone, MAC, PC etc. Unfortunately this introduces more costs to customer deployments though. Pulse does work very well with the SA series as well. Hope this helps.. Cheers, Paul -----Original Message----- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Jeff Wheeler Sent: Wednesday, August 03, 2011 3:41 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Junos Pulse / SRX240 problems I have a very simple VPN configuration for a non-uptime-critical service, with an SRX240H and Dynamic VPN client licenses. This worked fine with Junos 10.4R4.5 (JTAC recommended release) and the Juniper Access Manager client. However, Dynamic VPN sessions were becoming "stuck," and hours or days after a user had disconnected, they would still appear in `show security ike ...` and still consume Dynamic VPN licenses as reported by `show system licenses`. The same users were shown many times, etc. I have tried 11.1R3.5 and it has solved the stuck IKE associations / license exhaustion issue, but the Junos Pulse client is not working well. JAM does work fine, but the web front-end installs Pulse for end-users now. From my test machine, I can sometimes connect the VPN on the first or second try, but usually have to enter login credentials at least twice. Where it gets problematic is if I disconnect and later attempt to reconnect, I might enter my login and click continue 50 times before the VPN session is established, if it ever works at all. Restarting Pulse does not seem helpful, but rebooting the PC does. I have not tried rebooting the SRX, but I find no entries cleared when issuing `clear security dynamic-vpn all` and that does not appear to influence the problem. Before someone asks, since this works perfectly with the JAM client, I do not think the SRX configuration is any issue. This config is as simple as can be, without even a RADIUS server yet. My impression right now is that the Pulse client is too buggy to deploy and I should downgrade back to 10.4R4.5 so users will receive Juniper Access Manager instead. I have read a few similar opinions on the Juniper forums. I would appreciate any thoughts you guys have. -- Jeff S Wheeler <j...@inconcepts.biz> Sr Network Operator / Innovative Network Concepts _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp