Solved

Unable to connect to corporate LAN via Juniper VPN Client

Posted on 2007-03-21
5
6,133 Views
Last Modified: 2013-12-04
--Product name: Juniper VPN Client [connecting to Corporate LAN via CAC authentication
--Connecting Client OS: XP Pro SP2, via external DSL [domain member, but should connect off domain also, via CAC credentials also].
--Internet Options: SSL 2.0, SSL 3.0, and TLS 1.0 are checked;
--LAN settings: all boxes cleared [no proxy]
--Juniper authentication server added to trusted sites
--user is member of authorized security group, allowed to connect remotely.

--user receiving this error: user connects via CAC, to VPN authentication server; clicks Start, to start VPN connection; VPN box appeared and reads, Connecting... Negotiating...Then this error mesg appears:
"THE SECURE GATEWAY DENIED THE CONNECTION REQUEST FROM THIS CLIENT".




0
Comment
Question by:knowital
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 30

Expert Comment

by:IanTh
ID: 18764570
is the vpn server configured for incoming connection?
0
 
LVL 5

Accepted Solution

by:
rjmedina earned 500 total points
ID: 18764939
First I would check the session logs on the Juniper to see the user’s connection sessions.  You may need to be logged into the device and have the user attempt to connect to get this information.  How are they connecting?  SSL, TCP, UDP, etc. and is this the expected protocol?  If they are getting this far successfully using the correct protocol then your problem may be with the final authentication to AD.  Are you using a third party RADIUS, a built in Juniper solution or IAS?

Having stated the above, my first instinct on this was that it may be a port blocking issue.  But, I don’t work with Juniper equipment so I did a search and I found this Juniper forum post.  The last two posts at the bottom of the page are what I think will be of most interest to you.  

http://www.juniperforum.com/index.php?topic=3005.new

Your problem may be a little different though because you're using a SmartCard for authentication; I am unfamiliar with configuring Junipers for Smartcard Auth (we use Cisco equipment).  However, I am familiar with troubleshooting VPN connections via CAC using a Cisco VPN concentrator/Client, so maybe I can shed some light on this issue despite my lack of Juniper knowledge.

Also when troubleshooting client side issues I have seen errors and situations similar to this using our Cisco VPN client with Smartcards.  I’ll list a few here to see if any of them help.  

1)      Sometimes hotels block the TCP port we’re using and we have to instruct the user to change their client from TCP to UDP.  
2)      In another situation we found that a Kerberos hotfix was required for the user’s workstation to receive a Kerb ticket once they VPN’d into the network.  You can troubleshoot the Kerberos issue with Kerbtray.  This is a link to get the hotfix: http://support.microsoft.com/kb/906681
You can pretty much ignore the KB article as it seemingly has nothing to do with this problem, however, we were instructed by MS to try this patch when we presented them with our findings using Kerbtray – apparently this patch fixes A LOT of issues with Kerberos in Windows XP.  We have since applied this hotfix to all of our workstations.
3)      We also found, depending on how far away the location, that Timeouts were an issue – it just took too long for the request from the client to reach the DC and a response to be returned.  

Also, as a small side note, you may want to keep in mind when posting to forums for help that CAC is a DoD/Army name and many folks who could help you may not recognize CAC as an alternate term for Smartcard authentication and therefore, not respond.

Hope this helps!
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 18766738
You do not mention if this is in general or for a particular user.

In any case you need to get the newest client for the VPN, and also check that no firewalls are in place blocking the connection at either end.

I hope this helps !
0
 

Author Comment

by:knowital
ID: 18772654
Many thanks for the tips everyone.
In reply: [answering all Q's listed from all responders, thus far, ordered first to most recent reply:
I'll have our team check the session logs. I also use http://www.ipaddressworld.com/ to verify adn attempt to ping /verify client IP's.

Many users successffully connect, SSL [the expected protocol, worldwide, even from different domains].
Third party RADIUS, a built in Juniper solution or IAS in use? will have to verify this w/my netAdmins.
BTW: "CAC" is a government term for "Common Access Card" [smart authentication ID card].

Thanks for helping me clairfy :)
0
 

Author Comment

by:knowital
ID: 18778254
Third party RADIUS, a built in Juniper solution or IAS in use? Yes, there are Third Party [Juniper] solutions in place.

Self resolved: user's pc did NOT have the Juniper client installed.

Points to rjmedina: for the incredible insight provided up front.
0

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question