Reset Search
 

 

Article

KB23025 - Pulse Secure Terminal Services Client is unable to establish a connection to the Secure Gateway

« Go Back

Information

 
Last Modified Date7/5/2016 8:50 PM
Synopsis

This article explains why the Pulse Secure Terminal Services client might be unable to establish a connection to the Secure Gateway.

Users receive the following error when the Terminal Service bookmark is clicked:

Pulse Secure Terminal Services Client could not establish connection to Secure Gateway.
Click OK to exit and retry.  If the problem persists, please contact Administrator.
Problem or Goal

After authenticating to the PCS device, users will reach the bookmark page. After clicking on a Terminal Service bookmark, the error message above will is appear.

Cause
This issue can occur when one of the following conditions are met:
  • This issue may occur when the IP address of the PCS hostname is mapped to two different IP addresses (due to an incorrect configuration in the public DNS server).
For more information on DNS-based load balancing, refer to KB17848 - Access issues and timeout errors when SA SSL VPNs are in a Load Balancing configuration.
  • Device certificate and its certificate chain may be issued using a MD5 certificate algorithm when using TLS 1.2 or 1.1.
Solution
To resolve this issue, checking the following:
  • Ensure that the public DNS is able to resolve the PCS hostname/Sign-In URL to one IP address.
  • Ensure that pop-up blocker and ActiveX are not disabled in the browser.
  • Test the user experience in different browsers such as IE, Mozilla Firefox, and so on.

If the problem persists, review the debuglog.log (under C:/Users/Public/Logging or C:/ProgramData/PulseSecure/Logging) and confirm if the following log entries appear:
 
dsTermServ.exe dsTermServProxy p6256 t2768 DSSSLSock.cpp:2539 - 'dsssl' 
InitializeSecurityContext failed. Error 0x80090308
dsTermServ.exe dsTermServProxy p6256 t2768 DSSSLSock.cpp:2328 - 'dsssl' 
ClientHandshakeLoop failed. Error 0x80090308
dsTermServ.exe dsTermServProxy p6256 t2768 DSSSLSock.cpp:3243 - 'dsssl' 
ApplyControlToken failed. Error 0x80090301
dsTermServ.exe dsTermServProxy p6256 t2768 ncp.cpp:2026 - 'main' 
SSL connect failed. Error 536875113
If the log entries appear, review the device certificate and its certificate chain to confirm which certificate is signed by an MD2 or MD5 algorithm.  

To validate the device certificate and its chain, you can use Symantec SSL Checker.  If the device certificate or an intermediate certificate is signed by an MD2 or MD5 algorithm, please contact the certificate authority to obtain the latest CA and install these on the PCS device.  If the root certificate is using an MD2 or MD5 algorithm, you may delete the problematic CA under Configuration > Certificates > Trusted Server CA's (in the Admin UI). 
 
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255