Solved

Unable to connect to corporate LAN via Juniper VPN Client

Posted on 2007-03-21
5
6,102 Views
Last Modified: 2013-12-04
--Product name: Juniper VPN Client [connecting to Corporate LAN via CAC authentication
--Connecting Client OS: XP Pro SP2, via external DSL [domain member, but should connect off domain also, via CAC credentials also].
--Internet Options: SSL 2.0, SSL 3.0, and TLS 1.0 are checked;
--LAN settings: all boxes cleared [no proxy]
--Juniper authentication server added to trusted sites
--user is member of authorized security group, allowed to connect remotely.

--user receiving this error: user connects via CAC, to VPN authentication server; clicks Start, to start VPN connection; VPN box appeared and reads, Connecting... Negotiating...Then this error mesg appears:
"THE SECURE GATEWAY DENIED THE CONNECTION REQUEST FROM THIS CLIENT".




0
Comment
Question by:knowital
5 Comments
 
LVL 30

Expert Comment

by:IanTh
ID: 18764570
is the vpn server configured for incoming connection?
0
 
LVL 5

Accepted Solution

by:
rjmedina earned 500 total points
ID: 18764939
First I would check the session logs on the Juniper to see the user’s connection sessions.  You may need to be logged into the device and have the user attempt to connect to get this information.  How are they connecting?  SSL, TCP, UDP, etc. and is this the expected protocol?  If they are getting this far successfully using the correct protocol then your problem may be with the final authentication to AD.  Are you using a third party RADIUS, a built in Juniper solution or IAS?

Having stated the above, my first instinct on this was that it may be a port blocking issue.  But, I don’t work with Juniper equipment so I did a search and I found this Juniper forum post.  The last two posts at the bottom of the page are what I think will be of most interest to you.  

http://www.juniperforum.com/index.php?topic=3005.new

Your problem may be a little different though because you're using a SmartCard for authentication; I am unfamiliar with configuring Junipers for Smartcard Auth (we use Cisco equipment).  However, I am familiar with troubleshooting VPN connections via CAC using a Cisco VPN concentrator/Client, so maybe I can shed some light on this issue despite my lack of Juniper knowledge.

Also when troubleshooting client side issues I have seen errors and situations similar to this using our Cisco VPN client with Smartcards.  I’ll list a few here to see if any of them help.  

1)      Sometimes hotels block the TCP port we’re using and we have to instruct the user to change their client from TCP to UDP.  
2)      In another situation we found that a Kerberos hotfix was required for the user’s workstation to receive a Kerb ticket once they VPN’d into the network.  You can troubleshoot the Kerberos issue with Kerbtray.  This is a link to get the hotfix: http://support.microsoft.com/kb/906681
You can pretty much ignore the KB article as it seemingly has nothing to do with this problem, however, we were instructed by MS to try this patch when we presented them with our findings using Kerbtray – apparently this patch fixes A LOT of issues with Kerberos in Windows XP.  We have since applied this hotfix to all of our workstations.
3)      We also found, depending on how far away the location, that Timeouts were an issue – it just took too long for the request from the client to reach the DC and a response to be returned.  

Also, as a small side note, you may want to keep in mind when posting to forums for help that CAC is a DoD/Army name and many folks who could help you may not recognize CAC as an alternate term for Smartcard authentication and therefore, not respond.

Hope this helps!
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 18766738
You do not mention if this is in general or for a particular user.

In any case you need to get the newest client for the VPN, and also check that no firewalls are in place blocking the connection at either end.

I hope this helps !
0
 

Author Comment

by:knowital
ID: 18772654
Many thanks for the tips everyone.
In reply: [answering all Q's listed from all responders, thus far, ordered first to most recent reply:
I'll have our team check the session logs. I also use http://www.ipaddressworld.com/ to verify adn attempt to ping /verify client IP's.

Many users successffully connect, SSL [the expected protocol, worldwide, even from different domains].
Third party RADIUS, a built in Juniper solution or IAS in use? will have to verify this w/my netAdmins.
BTW: "CAC" is a government term for "Common Access Card" [smart authentication ID card].

Thanks for helping me clairfy :)
0
 

Author Comment

by:knowital
ID: 18778254
Third party RADIUS, a built in Juniper solution or IAS in use? Yes, there are Third Party [Juniper] solutions in place.

Self resolved: user's pc did NOT have the Juniper client installed.

Points to rjmedina: for the incredible insight provided up front.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now