Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Unable to connect to corporate LAN via Juniper VPN Client

Posted on 2007-03-21
Medium Priority
Last Modified: 2013-12-04
--Product name: Juniper VPN Client [connecting to Corporate LAN via CAC authentication
--Connecting Client OS: XP Pro SP2, via external DSL [domain member, but should connect off domain also, via CAC credentials also].
--Internet Options: SSL 2.0, SSL 3.0, and TLS 1.0 are checked;
--LAN settings: all boxes cleared [no proxy]
--Juniper authentication server added to trusted sites
--user is member of authorized security group, allowed to connect remotely.

--user receiving this error: user connects via CAC, to VPN authentication server; clicks Start, to start VPN connection; VPN box appeared and reads, Connecting... Negotiating...Then this error mesg appears:

Question by:knowital
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 30

Expert Comment

ID: 18764570
is the vpn server configured for incoming connection?

Accepted Solution

rjmedina earned 2000 total points
ID: 18764939
First I would check the session logs on the Juniper to see the user’s connection sessions.  You may need to be logged into the device and have the user attempt to connect to get this information.  How are they connecting?  SSL, TCP, UDP, etc. and is this the expected protocol?  If they are getting this far successfully using the correct protocol then your problem may be with the final authentication to AD.  Are you using a third party RADIUS, a built in Juniper solution or IAS?

Having stated the above, my first instinct on this was that it may be a port blocking issue.  But, I don’t work with Juniper equipment so I did a search and I found this Juniper forum post.  The last two posts at the bottom of the page are what I think will be of most interest to you.

Your problem may be a little different though because you're using a SmartCard for authentication; I am unfamiliar with configuring Junipers for Smartcard Auth (we use Cisco equipment).  However, I am familiar with troubleshooting VPN connections via CAC using a Cisco VPN concentrator/Client, so maybe I can shed some light on this issue despite my lack of Juniper knowledge.

Also when troubleshooting client side issues I have seen errors and situations similar to this using our Cisco VPN client with Smartcards.  I’ll list a few here to see if any of them help.  

1)      Sometimes hotels block the TCP port we’re using and we have to instruct the user to change their client from TCP to UDP.  
2)      In another situation we found that a Kerberos hotfix was required for the user’s workstation to receive a Kerb ticket once they VPN’d into the network.  You can troubleshoot the Kerberos issue with Kerbtray.  This is a link to get the hotfix:
You can pretty much ignore the KB article as it seemingly has nothing to do with this problem, however, we were instructed by MS to try this patch when we presented them with our findings using Kerbtray – apparently this patch fixes A LOT of issues with Kerberos in Windows XP.  We have since applied this hotfix to all of our workstations.
3)      We also found, depending on how far away the location, that Timeouts were an issue – it just took too long for the request from the client to reach the DC and a response to be returned.  

Also, as a small side note, you may want to keep in mind when posting to forums for help that CAC is a DoD/Army name and many folks who could help you may not recognize CAC as an alternate term for Smartcard authentication and therefore, not respond.

Hope this helps!
LVL 63

Expert Comment

ID: 18766738
You do not mention if this is in general or for a particular user.

In any case you need to get the newest client for the VPN, and also check that no firewalls are in place blocking the connection at either end.

I hope this helps !

Author Comment

ID: 18772654
Many thanks for the tips everyone.
In reply: [answering all Q's listed from all responders, thus far, ordered first to most recent reply:
I'll have our team check the session logs. I also use to verify adn attempt to ping /verify client IP's.

Many users successffully connect, SSL [the expected protocol, worldwide, even from different domains].
Third party RADIUS, a built in Juniper solution or IAS in use? will have to verify this w/my netAdmins.
BTW: "CAC" is a government term for "Common Access Card" [smart authentication ID card].

Thanks for helping me clairfy :)

Author Comment

ID: 18778254
Third party RADIUS, a built in Juniper solution or IAS in use? Yes, there are Third Party [Juniper] solutions in place.

Self resolved: user's pc did NOT have the Juniper client installed.

Points to rjmedina: for the incredible insight provided up front.

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In a recent article here at Experts Exchange (, I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question