The secure gateway denied the connection request from this client (nc.windows.app.23791)
I am preparing our juniper SA4000 SSL VPN device for use in production and I am having a few problems. I'm getting the stated error message when a client uses Network Connect to try and obtain a network address from an internal DHCP server. I receive this message when I tell the SA4000 device to use our internal DHCP server to give clients an IP address. If I still the SA4000 a range of IP addresses (acts as it's own dhcp server) then clients are able to connect but can't get to any internal resourses and can't browse out to the internet. From the SA4000 device I can ping the DHCP server so i'm a bit confused on what is causing this problem.
The VPN appliance is behind a firewall but I have verifed that all ports that are needed are enabled. The first problem I need help fixing is just getting clients to pick up an IP address from our DHCP server. Please help me as soon as possbile with this.
The VPN appliance is behind a firewall but I have verifed that all ports that are needed are enabled. The first problem I need help fixing is just getting clients to pick up an IP address from our DHCP server. Please help me as soon as possbile with this.
ASKER
This is affecting all users. This box is in a lab environment right now and the machines that are trying to get a connection range from a computer with no software and no firewall or antivirus installed to working machines but none can obtain an ip address when the SA4000 is told to use a DHCP server to hand out addresses. Like I said, If it tell the SA4000 to use a range of IP addresses then it will work but the client will not be able to get out to the internet so the DNS information on the SA4000 isn't work either? So I know there is some sort of configuration problem I just can't find it.
Let's say I do tell the SA4000 to act as it's own DHCP server, when I do connect and obtain one of the addresses in the range that I provided on the SA4000, the gateway is 127.0.0.1 which tells me why I'm not able to get out to the internet. I see this gateway when I do a route print on the local machine that got the IP from the SA4000. This is the only way that I can get a client to get an IP address but that's all that the client is doing...... getting an IP address. The way that I should have it setup is working with our production DHCP server which the SA4000 device can definitely reach. So why is it that clients that try and get an IP aren't able to pull from the DHCP server?
Let's say I do tell the SA4000 to act as it's own DHCP server, when I do connect and obtain one of the addresses in the range that I provided on the SA4000, the gateway is 127.0.0.1 which tells me why I'm not able to get out to the internet. I see this gateway when I do a route print on the local machine that got the IP from the SA4000. This is the only way that I can get a client to get an IP address but that's all that the client is doing...... getting an IP address. The way that I should have it setup is working with our production DHCP server which the SA4000 device can definitely reach. So why is it that clients that try and get an IP aren't able to pull from the DHCP server?
WHat version of IVE OS are you using? If its before 6.1, then you will need a network connect license installed. If its 6.1 or later, then the NC license is included in the base.
Have a look at this doc for configuring NC on Juniper
https://download.juniper.net/software/ive/docs/supplemental/how-to/How_To_NC_Config.pdf
There is clearly something at odds with the config, so use the doc above to confirm all settings, in case there is a small tick box that we are missing.
When you install NC it creates a new virtual adapter within the client machine, and its this virtual adapter that gets allocated the new IP address (either via DHCP or locally using IP pool). Normally this will not need to add any routes to the client, as the application interception happens before the routing aspect, but if anything, it should be routes for the protected nets added, not a default route.
Also, split tunnelling is enabled by default for NC, so the client machine shoudl still be able to send traffic to the internet without sending everything over NC. Double check the split tunnelling settings there.
As a final suggestion, go the Torubleshooting > User Sessions > Policy tracing and run a debug while getting the users to connect, get an IP address, access resources (both through the IVE and the itnernet) and check the logs. This may give a bit more if an idea as to the role assignments, resource access and policies applied, just to make sure all is at it should be
Have a look at this doc for configuring NC on Juniper
https://download.juniper.net/software/ive/docs/supplemental/how-to/How_To_NC_Config.pdf
There is clearly something at odds with the config, so use the doc above to confirm all settings, in case there is a small tick box that we are missing.
When you install NC it creates a new virtual adapter within the client machine, and its this virtual adapter that gets allocated the new IP address (either via DHCP or locally using IP pool). Normally this will not need to add any routes to the client, as the application interception happens before the routing aspect, but if anything, it should be routes for the protected nets added, not a default route.
Also, split tunnelling is enabled by default for NC, so the client machine shoudl still be able to send traffic to the internet without sending everything over NC. Double check the split tunnelling settings there.
As a final suggestion, go the Torubleshooting > User Sessions > Policy tracing and run a debug while getting the users to connect, get an IP address, access resources (both through the IVE and the itnernet) and check the logs. This may give a bit more if an idea as to the role assignments, resource access and policies applied, just to make sure all is at it should be
ASKER
I'm checking out the document now. One thing that I forgot to mention is that when I do connect using the IP pool on the IVE, from the client computer I'm able to ping the Internal interface on the IVE and that's it. I can't even ping the external interface on the IVE let alone the Internal interface gateway which would get me out to the DHCP server. From the IVE if I go to troubleshooting I'm am able to ping out to everywhere in my network. Any thoughts on this one?
Have you configured any resource policies to allow the traffic through? What can often happen is that the resource policies are either not configured at all or have bad info in them and in fact all they do is deny the access
Set a NC access policy that allows access to everything and test.
Set a NC access policy that allows access to everything and test.
ASKER
All resource polices are set to allow all. I am still not able to get an IP from DHCP server and if I setup an IP pool I am only able to ping the internal interface of the IVE?
Can you post the results of the policy trace?
ASKER
Info PTR10103 2010/05/17 11:27:31 - [10.12.1.4] - irvasaffx01(Admin Users)[.Administrators,.Re
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable user = "justin"
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable password = "****"
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable userName = "justin"
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable protocol =
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable realm = "Users"
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable loginTime = Mon May 17 11:27:39 2010
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable userAttr.sAMAccountName = "justin"
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable userAttr.cn = "Justin Westover"
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable userAttr.memberOf = "CN=Group Policy Creator Owners,CN=Users,DC=lab01,D
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable userAttr.msNPAllowDialin = "FALSE"
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable groups =
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable loginURL = "*/"
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable sourceIp = 65.x.x.x
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable loginHost = "lab01.domain.com"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; WOW64; SV1)"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable networkIF = "external"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN.CN = "Justin Westover"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN.OU = "Admin Users"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN.DC = "lab01"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN.DC = "domain"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN.DC = "com"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDNText = "CN=Justin Westover,OU=Admin Users,DC=lab01,DC=domain,D
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable user@AD Server = "justin"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable password@AD Server = "****"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN@AD Server.CN = "Justin Westover"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN@AD Server.OU = "Admin Users"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN@AD Server.DC = "lab01"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN@AD Server.DC = "domain"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN@AD Server.DC = "com"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDNText@AD Server = "CN=Justin Westover,OU=Admin Users,DC=lab01,DC=domain,D
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userAttr@AD Server.sAMAccountName = "justin"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userAttr@AD Server.cn = "Justin Westover"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userAttr@AD Server.memberOf = "CN=Group Policy Creator Owners,CN=Users,DC=lab01,D
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userAttr@AD Server.msNPAllowDialin = "FALSE"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable cacheCleanerStatus = false
Info PTR24559 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[Users,Admin Users] - Automatically redirected from page "login" to the next start page "/dana/home/starter0.cgi?c
Info PTR24559 2010/05/17 11:27:41 - [65.x.x.x] - justin(Users)[Users,Admin Users] - Automatically redirected from page "starter0" to the next start page "/dana/home/starter.cgi" before starting the session.
Info PTR24559 2010/05/17 11:27:41 - [65.x.x.x] - justin(Users)[Users,Admin Users] - Automatically redirected from page "starter0" to the next start page "/dana/home/starter.cgi" before starting the session.
Info PTR24559 2010/05/17 11:27:41 - [65.x.x.x] - justin(Users)[Users,Admin Users] - Automatically redirected from page "starter" to the next start page "/dana/home/index.cgi" before starting the session.
Info PTR23471 2010/05/17 11:27:44 - [65.x.x.x] - justin(Users)[Users,Admin Users] - Network Connect: IP Address Pools obtained for the current session are 10.12.100.5
Info PTR10104 2010/05/17 11:28:08 - [10.12.1.4] - irvasaffx01(Admin Users)[.Administrators,.Re
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable user = "justin"
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable password = "****"
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable userName = "justin"
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable protocol =
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable realm = "Users"
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable loginTime = Mon May 17 11:27:39 2010
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable userAttr.sAMAccountName = "justin"
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable userAttr.cn = "Justin Westover"
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable userAttr.memberOf = "CN=Group Policy Creator Owners,CN=Users,DC=lab01,D
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable userAttr.msNPAllowDialin = "FALSE"
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable groups =
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable loginURL = "*/"
Info PTR10305 2010/05/17 11:27:39 - [65.242.24.66] - justin(Users)[] - Variable sourceIp = 65.x.x.x
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable loginHost = "lab01.domain.com"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; WOW64; SV1)"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable networkIF = "external"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN.CN = "Justin Westover"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN.OU = "Admin Users"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN.DC = "lab01"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN.DC = "domain"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN.DC = "com"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDNText = "CN=Justin Westover,OU=Admin Users,DC=lab01,DC=domain,D
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable user@AD Server = "justin"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable password@AD Server = "****"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN@AD Server.CN = "Justin Westover"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN@AD Server.OU = "Admin Users"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN@AD Server.DC = "lab01"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN@AD Server.DC = "domain"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDN@AD Server.DC = "com"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userDNText@AD Server = "CN=Justin Westover,OU=Admin Users,DC=lab01,DC=domain,D
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userAttr@AD Server.sAMAccountName = "justin"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userAttr@AD Server.cn = "Justin Westover"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userAttr@AD Server.memberOf = "CN=Group Policy Creator Owners,CN=Users,DC=lab01,D
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable userAttr@AD Server.msNPAllowDialin = "FALSE"
Info PTR10305 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[] - Variable cacheCleanerStatus = false
Info PTR24559 2010/05/17 11:27:39 - [65.x.x.x] - justin(Users)[Users,Admin Users] - Automatically redirected from page "login" to the next start page "/dana/home/starter0.cgi?c
Info PTR24559 2010/05/17 11:27:41 - [65.x.x.x] - justin(Users)[Users,Admin Users] - Automatically redirected from page "starter0" to the next start page "/dana/home/starter.cgi" before starting the session.
Info PTR24559 2010/05/17 11:27:41 - [65.x.x.x] - justin(Users)[Users,Admin Users] - Automatically redirected from page "starter0" to the next start page "/dana/home/starter.cgi" before starting the session.
Info PTR24559 2010/05/17 11:27:41 - [65.x.x.x] - justin(Users)[Users,Admin Users] - Automatically redirected from page "starter" to the next start page "/dana/home/index.cgi" before starting the session.
Info PTR23471 2010/05/17 11:27:44 - [65.x.x.x] - justin(Users)[Users,Admin Users] - Network Connect: IP Address Pools obtained for the current session are 10.12.100.5
Info PTR10104 2010/05/17 11:28:08 - [10.12.1.4] - irvasaffx01(Admin Users)[.Administrators,.Re
ALl this shows is that NC was connected and issued with an IP from an IP pool of 10.12.100.5
It doesnt show any resources accessed sadly. After the IP address assignment what resources do you access?
It doesnt show any resources accessed sadly. After the IP address assignment what resources do you access?
ASKER
I saw that to but watching the Network Connect utility it never connects and I never receive an IP address, it just fails on me. I never get a chance to try and access any network resources.
DO you have any other VPN clients on this machine at all?
I have seen issues in the past where other VPN clients that create virtual adapters tend to get "confused" when you add more than 1 type of virtual adapter here.
Have you also tried removing the version of NC form the host and then re downloading it and reinstallign?
What version of IVE OS are you using as it may be worth looking at upgrading here.
I have seen issues in the past where other VPN clients that create virtual adapters tend to get "confused" when you add more than 1 type of virtual adapter here.
Have you also tried removing the version of NC form the host and then re downloading it and reinstallign?
What version of IVE OS are you using as it may be worth looking at upgrading here.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have a look at http://kb.juniper.net/KB8893
KB Home KB Home Back to answers Back to Answers Back to all Knowledge Base Browse Knowledge Base Categories Printer Friendly Version Printer Friendly
Rate Content Rate this Page Subscribe Subscribe
Network Connect: The secure gateway denied the connection request from this client. (nc.windows.app.23791)
Problem or Goal:
All users but one cannot connect using Network Connect.
The Juniper process dsncservice.exe can be blocked by personal firewall software such as Symantec, McAfee, and Trend Micro.
This error means Network Connect is unable to establish a connection with the secure gateway.
A variety of causes can contribute to this error, such as the Bonjour component of iTunes, Cisco VPN software, etc.
The key to determining where to look is, is the error affecting all Network Connect users, or a few Network Connect users.
All users would be a configuration setting is required in the IVE, whereas if only a few users are affected, it could be software.
Please consider use Sun Java JVM 1.4.2_04, 1.4.2_06, or 1.5.0_03 from http://java.sun.com/products/archive
Sun JRE 1.4.2_04
http://java.sun.com/products/archive/j2se/1.4.2_04/index.html
Sun JRE 1.4.2_06
http://java.sun.com/products/archive/j2se/1.4.2_06/index.html
Sun 5.0 J2SE 1.5.0_03
http://java.sun.com/products/archive/j2se/5.0_03/index.html
Solution:
Please set software firewall to allow dcncservice.exe to help prevent nc.windows.app.23791.
In some cases, the interfering software has to be uninstalled, for example, Bonjour component that interferes with Network Connect can be uninstalled, leaving iTunes in place.