This article documents the circumstances resulting in this issue in Junos Pulse for iOS in version 5.0r4 build 46105, and the solution.
Unable to pass traffic through Junos Pulse on IOS after upgrade to 5.0.4.46105 when the following critera is met:
- The Secure Access(SA) or MAG Series appliance is configured with AES or 3DES with 128 bit or 168 bit Cipher Suite (System > Configuration > Security > SSL options).
- The Junos Pulse client on iOS connects is connected with SSL Transport mode (Users > Resource Policies > VPN Tunneling > Connection Profiles)
NOTE: If DES is configured, then Junos Pulse may not be able to connect at all.
NOTE: This issue may still occur if the Connection Profile is configured to use ESP if the Junos Pulse client fallbacks from ESP to SSL. This can happen if the client is unable to make an initial connection to ESP or remain connected using ESP on UDP port 4500.
This issue resulted from changes made to the Junos Pulse client when Per App VPN support was added to Junos Pulse for iOS 5.0R4.
The issue is fixed in Junos Pulse for iOS 5.0r5 which is now available for download on the App store.
Workaround:
Enable only RC4 Encryption:
1.In the Admin UI Select System > Configuration > Security > SSL options
2.Choose Custom SSL Cipher Selection
3.Select only RC4 Cipher.
4.Uncheck all other Cipher options besides RC4.
5.Select Save Changes.
NOTE: This change will cause all currently connected Network Connect and Junos Pulse tunnels to disconnect and re-connect momentarily in order to use the new encryption option.