Reset Search
 

 

Article

KB40239 - ESP mode fails or fails over for all Network Connect and Pulse Secure Desktop client users causing frequent disconnects with 8.2R1 to 8.2R2

« Go Back

Information

 
Last Modified Date6/19/2017 7:02 PM
Synopsis
This article describes an issue where after upgrading to 8.2R1 or 8.2R2, Network Connect and Pulse client are not able to connect via ESP mode.  All VPN Tunnel users  fail over to SSL mode until the Pulse Connect Secure (PCS) device is rebooted.
Problem or Goal
After a certain amount of time, ESP transport mode fails or fails over to SSL for VPN tunneling clients that are connected or attempting to connect.  This issue will occur when the all conditions are met:
  • Network Connect and Pulse Secure Desktop users connecting to a PCS device running 8.2R1, 8.2R1.1 or 8.2R2 with no previous symptoms or problems in previous builds.
  • After upgrading, the issue may take some time to manifest as it depends on the number of NC tunnels that are setup since the last reboot.
  • When the issue is triggered, all active VPN tunnels that are connected via ESP will be failed over to SSL and any additional users will not be able to reconnect.

Important Note: If any VPN Tunneling Connection Profiles are configured to allow ESP transport only, as seen in the screenshot below:  

User-added image


Then VPN Tunnel users will not be able to establish a VPN tunnel using SSL and these connections will be dropped.

Cause
The issue occurs due to a software bug when the total number of VPN tunnels exceed 16,000 tunnels.  When the PCS device is rebooted, the counter will restart from 0.

This issue affect the following releases only:
  • 8.2R1
  • 8.2R1.1
  • 8.2R2
Solution

To resolve the issue, please upgrade to 8.2R3.1 and above.  This is available at License and Download Center at https://my.pulsesecure.net.  

To verify this issue, open a case with Pulse Secure Support Center and provide the following logs:

  • Enable debug logging (under Maintenance > TroubleShooting > Debug Logging) with the following parameters:
    • Event codes = ipsec
    • Debug Log Detail Level = 30
    • Max Debug Log Size = 50 MB
  • Once debug log is enabled, leave this enabled for 1 to 2 minutes.
  • After 1 to 2 minutes, disable debug logging and take a system snapshot (including debug logging and system config)

Please open a support case and attach the encrypted system snapshot.

Related Links
Attachment 1 
Created ByK. Kitajima

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255