Unable to connect to corporate LAN via Juniper VPN Client

--Product name: Juniper VPN Client [connecting to Corporate LAN via CAC authentication
--Connecting Client OS: XP Pro SP2, via external DSL [domain member, but should connect off domain also, via CAC credentials also].
--Internet Options: SSL 2.0, SSL 3.0, and TLS 1.0 are checked;
--LAN settings: all boxes cleared [no proxy]
--Juniper authentication server added to trusted sites
--user is member of authorized security group, allowed to connect remotely.

--user receiving this error: user connects via CAC, to VPN authentication server; clicks Start, to start VPN connection; VPN box appeared and reads, Connecting... Negotiating...Then this error mesg appears:

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

is the vpn server configured for incoming connection?
First I would check the session logs on the Juniper to see the user’s connection sessions.  You may need to be logged into the device and have the user attempt to connect to get this information.  How are they connecting?  SSL, TCP, UDP, etc. and is this the expected protocol?  If they are getting this far successfully using the correct protocol then your problem may be with the final authentication to AD.  Are you using a third party RADIUS, a built in Juniper solution or IAS?

Having stated the above, my first instinct on this was that it may be a port blocking issue.  But, I don’t work with Juniper equipment so I did a search and I found this Juniper forum post.  The last two posts at the bottom of the page are what I think will be of most interest to you.  


Your problem may be a little different though because you're using a SmartCard for authentication; I am unfamiliar with configuring Junipers for Smartcard Auth (we use Cisco equipment).  However, I am familiar with troubleshooting VPN connections via CAC using a Cisco VPN concentrator/Client, so maybe I can shed some light on this issue despite my lack of Juniper knowledge.

Also when troubleshooting client side issues I have seen errors and situations similar to this using our Cisco VPN client with Smartcards.  I’ll list a few here to see if any of them help.  

1)      Sometimes hotels block the TCP port we’re using and we have to instruct the user to change their client from TCP to UDP.  
2)      In another situation we found that a Kerberos hotfix was required for the user’s workstation to receive a Kerb ticket once they VPN’d into the network.  You can troubleshoot the Kerberos issue with Kerbtray.  This is a link to get the hotfix: http://support.microsoft.com/kb/906681
You can pretty much ignore the KB article as it seemingly has nothing to do with this problem, however, we were instructed by MS to try this patch when we presented them with our findings using Kerbtray – apparently this patch fixes A LOT of issues with Kerberos in Windows XP.  We have since applied this hotfix to all of our workstations.
3)      We also found, depending on how far away the location, that Timeouts were an issue – it just took too long for the request from the client to reach the DC and a response to be returned.  

Also, as a small side note, you may want to keep in mind when posting to forums for help that CAC is a DoD/Army name and many folks who could help you may not recognize CAC as an alternate term for Smartcard authentication and therefore, not respond.

Hope this helps!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You do not mention if this is in general or for a particular user.

In any case you need to get the newest client for the VPN, and also check that no firewalls are in place blocking the connection at either end.

I hope this helps !
knowitalAuthor Commented:
Many thanks for the tips everyone.
In reply: [answering all Q's listed from all responders, thus far, ordered first to most recent reply:
I'll have our team check the session logs. I also use http://www.ipaddressworld.com/ to verify adn attempt to ping /verify client IP's.

Many users successffully connect, SSL [the expected protocol, worldwide, even from different domains].
Third party RADIUS, a built in Juniper solution or IAS in use? will have to verify this w/my netAdmins.
BTW: "CAC" is a government term for "Common Access Card" [smart authentication ID card].

Thanks for helping me clairfy :)
knowitalAuthor Commented:
Third party RADIUS, a built in Juniper solution or IAS in use? Yes, there are Third Party [Juniper] solutions in place.

Self resolved: user's pc did NOT have the Juniper client installed.

Points to rjmedina: for the incredible insight provided up front.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.