Reset Search
 

 

Article

KB43981 - VPN Only Access with resolvable address (location awareness rule) with more than one connection will cause the lock down firewall to start after the VPN tunnel is created with Pulse Desktop Client 9.0R1 / 5.3R6 and below

« Go Back

Information

 
Last Modified Date12/20/2018 3:59 PM
Synopsis
This article describes an issue where Pulse Desktop Client 9.0R1 / 5.3R6 and below will fail to connect to any resources after the VPN tunnel is created when one or more connections is configured with a location awareness rule.
Problem or Goal
With Pulse Desktop Client 9.0R1 / 5.3R6 and below, end users may experience network connectivity issues with resources through the tunnel due to the lock down firewall is started after the VPN tunnel is created.  

This issue is applicable when all conditions are met:
  1. Pulse Desktop Client 9.0R1 or 5.3R6 and below is installed
  2. Location awareness rule is configured for more than one connection
  3. Lock down feature is enabled on all connections
Cause
This issue occurs due to the evaluation of location awareness rules each time a network interface is changed (including when a VPN tunnel is created). If the location awareness rule is false, VPN tunnel will not be attempted and enable lock down mode.  Due to this fact, this would block all network connectivity once the VPN tunnel is created.
Solution
To resolve this problem, please upgrade to Pulse Desktop Client 9.0R3 and above.


Recommended Configuration:

In the Pulse Desktop Client 9.0R3 and above, the logic was changed to stop evaluating location awareness rules for any connections with the same server-id attribute after a VPN tunnel is created.  When deploying lock down mode with multiple connections, the recommendation are the following:
  1. All connections must be created from one Pulse Connect Secure device to ensure the same server-id attribute is populated.  If there are multiple PCS devices, export the connection using XML export (from the master) and import to all other devices.
  2. Configure the same location awareness rule for all connections.
  3. Enable lock down mode for all connections.  (To disable lock down mode during a connection attempt, the feature must be enabled on the connection)
  4. Recommended deployment method is all connections should be manual.  If an automatic connection is required, only one connection can be automatic to avoid multiple connections starting at the same time.
Related Links
Attachment 1 
Created ByK. Kitajima

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255