Import error

You will get this error if you are trying to import the XML config from a device which is running a different version to the one you’re importing it to. Exports/Imports must be performed on the same version. A massive pain for me as I’m doing a consolidation project to move the rules from one our clusters to another.

This is also confirmed on the juniper forums http://forums.juniper.net/t5/SSL-VPN/Importing-config-to-newer-version-SA-appliance-possible/td-p/9973

I’ve spent a lot of tinkering with checkpoint and secure platform, in my first post on the topic here are a few good commands for administering interfaces under the operating system.

1) Add Vlan interface

config conn add type vlan local “x.x.x.x/xx” vlan-tag “xxx” dev “interface”e.g.

config conn add  type vlan local 192.168.1.1/24 vlan-tag 100 dev eth0

Will add vlan interface eth0.100 with ip 192.168.1.1/24

If you do a “config conn help” it will show all options available within this tool. If you are configuring a Firewall Cluster the VIP and topology changes must be made in Smart Dashboard.

2) Add untagged interface

config conn set local “x.x.x.x/xx” name “inf_name”

3)To delete an interface

config conn del name “interface”

4) ARP limitations in SPLAT

There is a ‘feature’ with SPLAT where the ARP table will only hold 1000 ARP entries. This may be restricting on a firewall with a lot of interfaces, or is directly connect to a lot of hosts (ie management  network firewall). As per the checkpoint KB.

Problem: The default value of the gc_thresh3 file is not enough to contain all of the ARP entries. The ARP entries are overflowing the table. Solution: The following command will change the default value of the gc_thresh3 file:

echo 10000 > /proc/sys/net/ipv4/neigh/default/gc_thresh3

To make those changes persistent:

vi /etc/sysctl.confadd net.ipv4.neigh.default.gc_thresh3 = 10000

5) Interface Speed/Duplex

ethtool -s “interface” speed 100 duplex full autoneg off

To make those changes persistent:

vi /etc/rc.local.

Add the following to end of the file:

/sbin/ethtool -s “interface” speed 100 duplex full autoneg off

If you are receiving error “The server disallowed the connection” when launching the Junos Pulse client it means you have not allowed netconnect on the User Role you created for mobile devices. It’s easy to make the mistake of configuring a netconnect profile but not hitting the tick the box which binds it to the role. The form should really tick the bx when you select either Network Connect or Junos Pulse automatically..

Click on Users/User Roles. Select the User Role you created for the mobile devices and then go down and confirm the ‘Network Connect’ box is ticked.

Remember to tick the box!

I’ve been involved in a project at work to setup an iOS/Android supporting SSL VPN gateway. A lot of businesses seem to be pushing the need to get mobile devices connected to the corporate network at the moment, bit of a buzz with the popularity of smartphones. There is currently no host checking or device encryption offered with Junos Pulse so it poses a bit of a risk as there’s a whole swag of devices for which you don’t have a great deal of control over on your network – you are largely reliant on the user not using malicious software (via a jailbreak, or dodgy app store!).

Having spent a good deal of my time working on Juniper’s Pulse software I feel the software is still fairly immature. The sign in pages are seemingly bolted into the product and require some rework to get them working across all mobile platforms (although I understand they have fixed this somewhat in 7.1).  There is a lack of decent information on the internet, and Junipers own documentation seems to focus more on what it’s able to do rather than HOW to do it. Web bookmarks do not seem to work yet either, the page will loads for about 20 seconds and then timeout with a white page and no error. I have run debugs and packet captures and there are no errors or anything indicative of an issue. The IVE device does not seem to generate the request to the webserver the bookmark is directed too. This is the bulk of what I needed it for, and it doesn’t seem to work.

As a proof of concept I have been able to get remote desktop working reliably, through the junos client to my workstation. It’s not very practical on an iphone screen but a fair test none the less.

I’d initially created a terminal services session policy within the mobile user realm but found it wouldn’t generate any traffic down the pulse vpn client (confirmed by the client saying 0 bytes sent under ‘Status’). The key to getting this working is creating a “NetConnect Access Policy” instead.

First of all change the access feature from junos pulse to Network Connect:

Network Connect Options

It seems counter intuitive but the Net Connect profiles work for Junos Pulse too. Click options and click “Access control” down the bottom. Create a policy similar to this allowing TCP3389 to your host:

Network Connect Access Policy

Save the changes and reload the VPN client. Ensure you have a firewall rule (if applicable) to allow the NetConnect IP Range to the destination on the port specified. Download an RDP app for iphone (Mocha RDP Lite works!) and configure the host you specified in your access control policy. You should now be able to bring up your desktop on your iOS/Android devices.

Remote Desktop over VPN

Simple in theory but these things are often overlooked, there’s nothing in the documentation yet.