What SA SSL VPN configuration is required for the VPN tunneling client to obtain an

IP address

SUMMARY:
This article provides information on how SA SSL VPN assigns Internet Protocol (IP) addresses
to the VPN tunneling client.

PROBLEM OR GOAL:
Junos Pulse Desktop symptom:
Junos Pulse status is 'Connected', but the status window does not show an IP address.
For more information on the status window, refer to KB26419 -Status window (detailed
connection information) for Junos Pulse Desktop connection
Junos Pulse Mobile symptom:
Junos Pulse status is 'Connected', but the status window does not show an IP address.
For more information on the status window, refer to KB26409 - Status window (detailed
connection information) for Junos Pulse Mobile connection
Network Connect symptom:
All users receive the The secure gateway denied the connection from this client
(nc.windows.app.23791) error message, when they try to logon to SA SSL VPN by using a VPN
tunneling client.
The user access log displays the following message:
YY-MM-DD HH:MM:SS - ive - [10.10.2.25] username(Realm)[Role] - Network
Connect: IP address cannot be allocated to user test. Solution: Check IP
Address Pools / DHCP server state.

CAUSE:
The nc.windows.app.23791 error is a generic error code that is displayed to the end user, each
time the SA platform rejects a tunnel setup request. This article only documents the basic
configuration that is required to setup the tunnel and details how the IP address assignment
works. It is possible that other configuration issues on the server or client side may also cause
this error.

SOLUTION:
Configuration Requirements
The following options must be configured on the SA SSL VPN in order for an IP address to be
assigned and for the virtual adapter to be configured on the client:

NCP Auto-Select Enabled (System > Configuration > NCP)

Access Control Policy (Users > Resource Policies > VPN Tunneling > Access Control)

Connection Profile (Users > Resource Policies > VPN Tunneling > Connection Profile)

IP Address Filter (System > Network > VPN Tunneling): By default, wildcard (*) is
used to allow any IP address to be assigned from the IP pool, which you have configured.
You may choose to replace the wildcard filter with an IP address/netmask
combination that applies to the IP address pool, which you have configured in the
connection profile on this device.
If you have multiple SA appliances configured identically with the same connection
profile(s), you can use this filter to ensure that the SA only assigns an IP address from the
subnet that is configured on the IP Address Filter section of each respective appliance.
For example, if you have a connection profile with the 10.10.10.10-100, 172.16.10.10100, and 192.168.10.10-100 IP pools configured and an IP address filter of 172.16.10.10100, Alternatively, if these devices are clustered, you can also configure node specific
connection profiles.

DNS Server This may be configured in the Connection Profile or in System > Network
> Overview.

IP Address Assignment Flow

The Secure Access (SA) SSL VPN appliance acts as a Dynamic Host Configuration Protocol
(DHCP) proxy in order to assign IP addresses to the VPN tunneling client. If DHCP server(s) are
configured, then it initiates DHCP requests to the DHCP server on behalf of the client. The flow
is as follows:
1. The VPN tunneling client tries to make a connection to the SA SSL VPN appliance.
There are two possible methods which can be used to obtain an IP address for the VPN
tunneling client (Users > Resource Policies > VPN Tunneling > Connection Profile):
- DHCP server(s)
- IP address pool

If IP address pool configuration is in use, then the SA will automatically select an available IP
address from the pool and assign it to the client.
If DHCP server is used, the SA will begin initiating DORA (Discover, Offer, Request, and ACK)
messages to the DHCP server on behalf of the VPN Tunneling client, as in this example:
Source
10.10.2.25
10.10.2.30
10.10.2.25
10.10.2.30

Destination
10.10.2.30
10.10.2.25
10.10.2.30
10.10.2.25

Protocol
DHCP
DHCP
DHCP
DHCP

Info
DHCP
DHCP
DHCP
DHCP

Discover
Offer
Request
ACK

Note: If a DHCP server has been setup with IP address scopes which are different from
the SAs internal IP subnet, refer to KB22611 - Network Connect: Assign IP addresses
from a DHCP scope not on the IVE internal interface subnet.
2. The SA SSL VPN will then pass down the VPN tunneling parameters (IP address, subnet
mask, DNS \ WINS Servers, and VPN Tunnel Server IP address) to the Network Connect
(NC) service on the client.
3. The NC service on the client then enables the virtual adapter and passes the VPN
tunneling parameters to the virtual adapter driver.
4. By default DHCP is enabled in the virtual adapter, so when the NC Services enable the
virtual adapter, the TCP/IP stack initiates the DORA process. Since the NC service has
already received the VPN tunneling parameters directly from the SA appliance, the
DORA process which happens on the client is initialized in compliance with the Dynamic
IP assignment or DHCP standards defined in Requests for Comments (RFCs) published
by the Internet Engineering Task Force (IETF). For your reference: RFC 2131 and RFC
2132.
When the virtual adapter driver receives the DHCP Discover and DHCP Request packets,
it responds to the DHCP Offer and DHCP ACK by using the VPN Tunnel Server IP
(10.200.200.200), which is provided by the NC service. As these packets are sent, before
IP address assignment of the VPN tunnel, the tunnel is not operational and these packets
never actually reach the SA SSL VPN. The NC Service always uses the VPN Tunnel
Server IP that is configured on the SA SSL VPN as the dummy DHCP on the client, when
assigning the IP address.
The default IP address that is already configured on the SA appliance is 10.200.200.200
(System > Network > Network Connect). This is why the VPN tunnel Server IP is the
default DHCP server for every VPN tunnel, regardless of the configuration being used to
assign IP addresses (DHCP server or IP address pool).
The VPN tunneling server IP address can be changed; but as it cannot be both the DHCP
server and the assigned IP address, ensure that the IP address you choose is not part of an
IP address pool that is specified as a part of a VPN tunneling Connection Profile (Users >

Resource Policies > VPN Tunneling > Connection Profile). That is, the IP address
cannot be in the range of the IP address pool that is configured for VPN tunneling or an
IP address that may be assigned by a DHCP server.
Source
0.0.0.0
10.200.200.200
0.0.0.0
10.200.200.200

Destination
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255

Protocol
DHCP
DHCP
DHCP
DHCP

Info
DHCP
DHCP
DHCP
DHCP

Discover
Offer
Request
ACK

Note: The SA will honor the DHCP parameters pushed down from your server, and pass
them down to the VPN client using Junipers proprietary protocol. However, from the
client perspective, many of the parameters actually set on the client will remain static.
See the following KB articles for more specific information in regards the parameters
listed below:
Mac Address (See KB23018 - What would be the MAC addressed presented by the SA to
the DHCP server in NC or Junos Pulse)
Lease Time (See KB19210 - [SSLVPN/MAG] Network Connect clients DHCP lease
duration)
Default Gateway (See KB16551 - Network Connect (NC) default gateway is blank or
0.0.0.0 on Windows client)

IP Address Assignment Flow Chart

For more information on configuring Junos Pulse, refer to the technical documentation here:
1. Go to http://www.juniper.net/techpubs/en_US/release-independent/junospulse/information-products/pathway-pages/junos-pulse/product/index.html
2. Select your Junos Pulse version
1

PURPOSE:
Configuration
Defect
Implementation
Troubleshooting