KB15981 - nc.windows.app.23712 error when launching Network Connect

This article describes several possible reasons and the solutions for each, for a Windows client to receive the error message nc.windows.app.23712. The Network Connect session terminated. Do you want to reconnect? when launching NC.  This error can occur for one or many Windows  users connecting to the same PCS gateway with similar or different Windows versions and client configurations.  

When the error message is displayed to the end user, the end user has the option to click Yes to reconnect, however, upon doing, NC still does not launch and the same error is displayed.  
 

This error message is accompanied with the following entries in the client-side debuglog.log file that can be obtained from the client PC by going to C:\Users\<profileName>\AppData\Local\Juniper Networks\Logging\debuglog.log

00144,09 2009/11/11 07:56:33.203 1 SYSTEM dsNcService.exe dsNcService p0680 t2CC adapter.cpp:914 - 'adapter' Failed to configure adapter after 30 tries
00128,09 2009/11/11 07:56:33.203 1 SYSTEM dsNcService.exe dsNcService p0680 t2CC session.cpp:1022 - 'session' Error in handling config!
00173,09 2009/11/11 07:56:33.203 3 SYSTEM dsNcService.exe dsNcService p0680 t2CC session.cpp:452 - 'session' disconnecting from ive host with reason 4
00130,09 2009/11/11 07:56:33.203 3 SYSTEM dsNcService.exe dsNcService p0680 t2CC adapter.cpp:766 - 'adapter' closing tun adapter 00000380

Or

0187,09 2009/08/20 09:42:13.520 1 SYSTEM dsNcService.exe dsNcService p1996 t7F0 routemon.cpp:972 - 'rmon' Failed to add route
00128,09 2009/08/20 09:42:13.520 1 SYSTEM dsNcService.exe dsNcService p1996 t7F0 session.cpp:1045 - 'session' Error in handling config!
00160,09 2009/08/20 09:42:13.520 3 SYSTEM dsNcService.exe dsNcService p1996 t7F0 session.cpp:469 - 'session' disconnecting from ive host with reason 4 etc.

Refer to the following troubleshooting steps to resolve this issue:

Reason #1 - The Network Connect client installation and/or NC virtual adapter are corrupt.

1. Try uninstalling and reintalling Network Connect from the Control Panel then manually remove the Network Connect adapter so that the adapter can be reinstalled when NC is initiated again.  
2. To remove the NC virtual adapter open the Control Panel and select Device Manager.  From the toolbar, click View and select Show Hidden Devices. 
3. Expand the Network devices section.
4. Locate the Juniper Networks Network Connect virtual adapter then right-click on the adapter and select "remove".
5. Reconnect to the PCS gateway providing the NC connection so that Network Connect and the virtual adapter are reinstalled.  

Reason #2 - NC has been installed on multiple client PC's using a ghost image with NC already installed.

nc.windows.app.23712 error can occur for clients running imaged machines from a ghost image with Network Connect installed.  When Network Connect is installed it binds to the SID of the user account logged into the system and this SID string must be unique.  If the SID string is a duplicate of another PC connecting to the PCS gateway, NC will get disconnected with the 23712 error.

Reason #3 - There are invalid DNS entries in the NC Connection Profile or in the network overview of the PCS device itself.

• Check that the DNS settings are properly configured under Network Overview > DNS domains as well as the DNS settings configured in  Resource Policies > Network Connect > NC Connection Profiles.  

Reason #4 - Network addresses and subnet masks defined in the NC ACL or Split Tunneling Policy are set incorrectly.

• Check the Network Connect Split Tunneling Policies to ensure that there are no networks defined that do not fit within the network and subnet mask entered such as 10.10.10.10/16 when the intended allowed Split Tunneled network is 10.10.10.x.  If a subnet mask is used for a network that only uses the last octect for the available hosts that are to be accessed via NC, then the policy should be defined with a /32 subnet mask. Anything else can cause the 23712 error and NC will not connect.
• Ensure that all subnets defined in the NC ACL's are correct. Use a subnet calculator as needed to set the right subnet mask.

Reason #5 - Media sense on the client PC is disabled 

• Verify that media sense on the client PC is enabled.
• Open a command prompt and run ipconfig /all when Network Connect is not connected.
• Check the status of the Media State and verify that it has a status of Media disconnected.  

Ethernet adapter Network Connect Adapter:

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Juniper Network Connect Virtual Adapter - Juniper Network Agent Miniport
Physical Address. . . . . . . . . : 00-FF-08-50-06-89

• If Media Sense has been disabled, then the Network Connect virtual adapter IP will show as connected with an IP address in the 169.254.x.x range or will have an NCIP listed from the last successful connection, even though NC is not connected as per the following example:

Ethernet adapter Network Connect Adapter:

Connection-specific DNS Suffix:
Description . . . . . . . . . . . : Juniper Network Connect Virtual Adapter - Juniper Network Agent Miniport
Physical Address. . . . . . . . . : 00-FF-08-50-06-89
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 169.X.X.X.
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : X.X.X.X
DHCP Server . . . . . . . . . . . : 10.200.200.20

• To reenable Media Sense on a Windiows client PC use the Registry Editor to locate the following key:

\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters

• Check if the subkey DisableDHCPMediaSense is present.  If it is, change the parameter of the subkey from 1 to 0.  (By default, Media sense is enabled on all Windows clients.  Therefore, if the Registry key DisableDHCPMediaSense is not found then it can be safely assumed that Media sense is enabled.

Reason #6 -  Client-side Antivirus or Malware protection software is blocking the NC connection.

• Temporarily disable all 3rd party Anti-Virus, Filrewall and Malware protection on the client PC to see if one or more of these settings are preventing the connection from being established.  If NC launches successfully with all 3rd party AV, FW and Malware software disabled, re-enable them one-by-one, checking the NC connection after each change, and determine which 3rd party app is blocking the NC connection.  Then, fine-tune that application to allow the NC connection.

Reason #7 - Other 3rd party VPN software is conflicting with Network Connect.

• If any other IPsec software is installed on the client, such as Cisco Anywhere or Checkpoint Secure Remote IPSec, try removing the additional 3rd party software as well as uninstalling Network Connect then reinstall the Network Connect client without the 3rd party vendor VPN software and test the connection.
• If the NC client has the Unified Access Control client installed, (OAC) then uninstall OAC and Network Connect then resintall Network Connect and try connecting again. 

Reason #8 - DHCP client services in Windows is disabled.

• Verify that DHCP client services is enabled in Windows by going to Control Panel > Administrative Tools > Services and locating the DHCP client service and verify that it is running and the startup type is set to Automatic.
• Enable or restart the DHCP client services and try launching Network Connect again.

Reason #9 - The Windows user profile is corrupt.

• Create a new Windows user profile on the affected PC and run Network Connect from the new profile.  If it works, then this would indicate that the NC instance within the default profile is corrupt or there is corruption within the profile itself.  To resolve this issue, delete the existing user profile and recreate it, then reinstall Network Connect.  

Reason #10 - There are unknown registry corruption issues on the client PC

• Reimage the client PC with Windows and reinstall Network Connect.