Since a couple of weeks/months (complaints only started to get in the last few weeks except for one), we're facing random VPN disconnects.I can't pinpoint it to an exact period/date. We did however upgrade our SRX 550 for better blocking of video streams, so we thought that was the culprit, and we tried to revert everything back to the previously known working vpn config from March. Also downgraded SRX. No solution. ( I'm sure about the config, had a copy of old config and I also compared it with my notes in http://forums.juniper.net/t5/SRX-Services-Gateway/Can-SRX-series-work-with-Shrew-Soft-VPN-client/td-p/76176 ).
Anyhow, since ShrewSoft is not officially supported, Juniper asks to try with Pulse Secure.
I set it up using the instructions below ( credits http://www.mustbegeek.com/configure-dynamic-remote-access-vpn-in-juniper-srx/ ). Same thing here: VPN connects, but randomly gets disconnected.
Step 1. Configure Dynamic VPN Users and IP Address Pool
set access profile Dynamic-XAuth client Jed firewall-user password P@ssw0rd set access profile Dynamic-XAuth client Steve firewall-user password P@ssw0rd set access profile Dynamic-XAuth address-assignment pool Dynamic-VPN-Pool set access address-assignment pool Dynamic-VPN-Pool family inet network 192.168.97.0/24 set access address-assignment pool Dynamic-VPN-Pool family inet xauth-attributes primary-dns 10.1.10.19/32 set access firewall-authentication web-authentication default-profile Dynamic-XAuth
Step 2. Configure IPSec Phase 1
set security ike proposal Dynamic-VPN-P1-Proposal description "Dynamic P1 Proposal" set security ike proposal Dynamic-VPN-P1-Proposal authentication-method pre-shared-keys set security ike proposal Dynamic-VPN-P1-Proposal dh-group group2 set security ike proposal Dynamic-VPN-P1-Proposal authentication-algorithm sha1 set security ike proposal Dynamic-VPN-P1-Proposal encryption-algorithm 3des-cbc set security ike proposal Dynamic-VPN-P1-Proposal lifetime-seconds 1200 set security ike policy Dynamic-VPN-P2-Policy mode aggressive set security ike policy Dynamic-VPN-P2-Policy description "Dynamic P2 Policy" set security ike policy Dynamic-VPN-P2-Policy proposals Dynamic-VPN-P1-Proposal set security ike policy Dynamic-VPN-P2-Policy pre-shared-key ascii-text test@123 set security ike gateway Dynamic-VPN-P1-Gateway ike-policy Dynamic-VPN-P2-Policy set security ike gateway Dynamic-VPN-P1-Gateway dynamic hostname vpn.izegem.be set security ike gateway Dynamic-VPN-P1-Gateway dynamic ike-user-type shared-ike-id set security ike gateway Dynamic-VPN-P1-Gateway external-interface ge-0/0/0.0 set security ike gateway Dynamic-VPN-P1-Gateway xauth access-profile Dynamic-XAuth
Step 3. Configure IPSec Phase 2
set security ipsec proposal Dynamic-P2-Proposal description Dynamic-VPN-P2-Proposal set security ipsec proposal Dynamic-P2-Proposal protocol esp set security ipsec proposal Dynamic-P2-Proposal authentication-algorithm hmac-sha1-96 set security ipsec proposal Dynamic-P2-Proposal encryption-algorithm aes-256-cbc set security ipsec proposal Dynamic-P2-Proposal lifetime-seconds 3600 set security ipsec policy Dynamic-P2-Policy perfect-forward-secrecy keys group5 set security ipsec policy Dynamic-P2-Policy proposals Dynamic-P2-Proposal set security ipsec vpn Dynamic-VPN ike gateway Dynamic-VPN-P1-Gateway set security ipsec vpn Dynamic-VPN ike ipsec-policy Dynamic-P2-Policy set security ipsec vpn Dynamic-VPN establish-tunnels immediately
Step 4. Configure Dynamic VPN Parameters
set security dynamic-vpn force-upgrade set security dynamic-vpn access-profile Dynamic-XAuth set security dynamic-vpn clients all remote-protected-resources 10.1.10.0/23 set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0 set security dynamic-vpn clients all ipsec-vpn Dynamic-VPN set security dynamic-vpn clients all user Jed set security dynamic-vpn clients all user Steve
Step 5. Configure Security Policy
set security policies from-zone Internet to-zone Trust policy Dynamic-VPN match source-address any set security policies from-zone Internet to-zone Trust policy Dynamic-VPN match destination-address any set security policies from-zone Internet to-zone Trust policy Dynamic-VPN match application any set security policies from-zone Internet to-zone Trust policy Dynamic-VPN then permit tunnel ipsec-vpn Dynamic-VPN
Step 6. Verifying IPSec Connection
root@SRX240> show security dynamic-vpn users root@SRX240> show security dynamic-vpn client version root@SRX240> show security ike active-peer root@SRX240> show security ike security-associations root@SRX240> show security ipsec security-associations
It gets disconnected randomly in both cases (Pulse Secure or the previous config) if I even directly connect a client laptop on an LAN interface of the SRX. (I know my ISP had some issues with VPN with one of their modems, I wanted to exclude that being the cause).
With ShrewSoft: internally it stays up much much longer than if I go over the internet. If I connect from home, I sometimes have to try a couple of times, and I get disconnected within 5 minutes. If I connect my laptop to the router at work which goes to the firewall (so same config, just skipping a whole part), it is more stable but I still get disconnected at random times. Some sort of latency issue?
With Pulse: from home, it's more stable, but still disconnects way too quickly. When I do a constant ping, I sometimes see 1 brief time-out (maybe this is what's causing Shrew to disconnect much sooner).
When connected, everything seems to work as it should.
What should I check, what could still be wrong? 
Right now, I'm the only one able to set up a dynamic vpn and connect to it - so let's exclude "concurrent users" as a cause.
I already tried setting lifetime to 86400.
I have a case logged with Juniper, but it hasn't helped me a single bit at all...
We also have a working site-to-site vpn.