Good morning,
I'll start by saying....I'm an idiot. Thank you lpaniagua for the following statement:
Chances are that packets from your PC are not reaching the SRX or that a device in between is dropping them and replying instead. Please check that the traffic is reaching the SRX
This is exactly what was going on, I assume because the Dynamic VPN configuration takes into account untrust to trust only? I was testing from inside the network and I'm guessing that the configuration (taken from the web) doesn't account for trust to trust VPN connections?
Anyway, I worked on this over the weekend and I am getting somewhere, though it still doesn't work properly.
First off I am able to hit the dynamic vpn index from offsite, but the SRX no longer houses the pulse client and directs you to downloading it from the pulse website. This is fine, I just wanted to see if I could connect to it.
When I launch the pulse client I get a response that the certificate is invalid, this is expected. I give my local username and firewall and get data back on 4 sessions using:
show security flow session destination-prefix [SRX_External_IP] source-prefix [PC_Public_IP] destination-port 443
All are ins/outs from the Client I am connecting from and the SRX.
At this point the Pulse Secure client just sits and spins on connecting.
The following commands show no connections:
show security ike security-associations
show security ike active-peer
show security ipsec security-associations
show security dynamic-vpn users
I have not set up the packet captures yet since I am not sure it is needed now that I am pivoting from my original issue. If that would still be beneficial then I can set it up.
The version is an older one and I need to upgrade it:
Model: srx340
Junos: 15.1X49-D70.3
JUNOS Software Release [15.1X49-D70.3]
I haven't added the additional licenses yet. Figured I would get it working before adding the 60 of them.
Licenses Licenses Licenses Expiry
Feature name used installed needed
dynamic-vpn 0 2 0 permanent
I looked at swapping from xauth to aaa, but since xauth wasn't depricated until a later release than we are on aaa isn't an option in the ike gateway.
Anyway, this is where I am now and appreciate any additional thoughts. Thanks again for all of the help so far.
Michael