[vpn-help] updated better detailed question on " Issue wih Client"

Tue Jul 2 15:28:14 CDT 2013

Issue wih Client Follow up
I hope this better describes the issue.

We have a shrew soft client  2.2.1\2.1.6 releases on a Windows 7 Computers.
Note there is a Mac at one of these sites using IPSecuritas that connects fine.

I have about 40 clients on this Juniper SSG140
3 Clients have a behaviors as was described in the previous post "Issue with Client"

We get a partial connection to the firewall (Juniper SSG140 Software Version   6.3.0r14.0)

But here is what we get:

"The client never identifies itself fully to the firewall. It makes a connection and will send packets but randomly reply with packets sometimes not.  Ping will show disconnects or latency for random periods or worse When these clients connect they also will throw off working clients on occasion."

>From the Juniper side
from a putty session you can see as follows:

You can see that an IKE has established using a get sa (sometimes not all time but when does it will show as active)

When you check the VPN Tunnel for Mobile VPN users I do not see an IP on the tunnel when it should have binded or worse sometime 3 of the same IPs binded for connection (when 3 Ips happen it will sometimes slow down and\or kick off other users)

I see this in the logs as well..

2013-07-01 18:52:06 info IKE<############> Phase 1: IKE responder has detected NAT in front of the remote device.
2013-07-01 18:52:06 info IKE<############> Phase 1: IKE responder has detected NAT in front of the local device.
Note: IP Redacted log had IP correct
This Juniper mobile vpn set up has been working for some time. There have been no changes on the firewall with exception of a software update less than 24 hours ago to try to resolve this.

It is a belief that this is from the client side causing this problem.   We updated has a small update to the VPN connection for Enable NAT-Traversal from 5 ms to 60 ms but then was changed back to 5ms was made over a week ago to try to fix this issue by our consultant

Is there any reason the shrew soft client would either get 3 ips from the tunnel binding or for some reason not bind to the tunnel for return?

We did try an update to client 2.2.2. which had no effect.

The users only seem to have windows 7 in common.

Any ideas would be helpful.

I can provide some logs if needed.

________________________________
Technical data included in this e-mail may be Export-Controlled and subject to
the Arms Export Control Act (Title 22, U.S.C., sec 2751 et seq.) or the Export
Administration Act of 1979, as amended seq.

This information or element thereof, in any form, shall not be disclosed to a
foreign person (including foreign person employees), entity, or exported from
the United States without U.S. Government authority and the express written
authorization of DCX-CHOL Enterprises, Inc.
This document may contain DCX-CHOL
Enterprises, Inc. Proprietary Information and is to be used only for the
purposes for which it has been supplied and is not to be duplicated or
disclosed in whole or in part without written permission from a duly authorized
representative of DCX-CHOL Enterprises, Inc.

If you feel you have received this email in error please contact the DCX-CHOL
IT Team at 310-516-1692 ext 454.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130702/2a6b5582/attachment-0001.html>