Network Connect Error message



  • When my manager launches Network Connect he receives the following error message:

    The secure gateway denied the conneciton request from this client
    (nc.windows.app.23791)

    Confirmed he is running Norton Internet Security Suite 2006. He is not running another VPN client on the machine.

    I am running Norton Internet Security Suite 2005, however I am not having any problems launching Network Connect.

    Has anyone seen this error message before?

    -Lisa



  • By the way - with IVE OS 6.0R1 the awfull error 791 is still alive!
    I found two clients with this problem.

    I think nearly everyone sometimes has contact with this error message.
    I dont understand why juniper does not fix this or find out whats going wrong with this. I think this is fixeable!

    I will try with the windows hotfix for loopback IPs. Maybe thats the problem, if all other blocking reasons (client firewall…) are excluded.



  • I mean - a route on the router where the IVE is connected. There must be configured a route like

    ip route 100.100.100.0 255.255.255.0 132.132.132.1

    If the VPN Client IP Pool is 100.100.100.0/24 and the internal IP of the IVE is 132.132.132.1



  • have you configured a static route, so that traffic from the internet can be routed to the VPN Ip Pool IP Adresses?



  • I think you have a missconfiguraton somewhere.
    Does your network connect not start? The client does not get a ip?
    have you configured IP filter?



  • We tried that and it did not work either. I could not find anything in the logs, but there is a lot of information and I am still looking through the policy trace.



  • Why not configure the VPN IP Pool directly on the Juniper Secure Access Apliance?

    I dont know any benefit of using an external DHCP Server for the VPN Clients, and the DHCP Server on the Juniper Box works as expected.



  • I am having this same issue with 6.0r1 (build 12023). The difference is mine started when I switched to Adonis 1000 DNS/DHCP Appliances. I have two of these appliances in an active/active configuration for DHCP and the ip address assignment failed every other time I would try to connect. I turned off the active/active and connections began working again. However, now every fifth connection attempt I receive the error message. Any ideas would be greatly appreciated.

    -chris



  • I am having the same issue, as above, and no, as opposed to my previous statement, it is NOT as a result of NAV. The problem seems to be related to the proxy settings. In my corporate environment, as above, the workstations receive their proxy settings through a GPO, and disables the option in the browser. This prevents the NC client for requesting the proxy information, as it does to a non AD PC, and the error occurs. If a non AD pc is connected to the network, after clicking on “Start” the proxy settings window pops up, you can enter relevant info, and the client connecgts without problem. I have the 5.4 version of the SA700, so what can be done for this to be resolved??



  • Hi, I would just like to say that I have the same problem with an NC.23792 error code when running Windows XP as a virtual machine on two Mac computers that I have running the most recent version of OS X?  This began happening on both computers a little more than a week ago?  Previously, I was trouble-free. Does anyone know whether a security patch in XP could have caused this problem? I am willing to investigate updates in OS X as well.



  • :roll:I can see no can answer this. Juniper Tech Support looks like they do not know either. They sent me a listing of error codes with literal text book solutions. I can’t understand how this was working perfectly and now this error keeps coming up. :?



  • Its not the PAC. Tried several machines with IE 6 and no proxy sets on any.



  • I have also seen this secure gateway denied access in the following scenario - corporate proxy settings are set within the browser  (we use IE 6) that need to be turned off prior to connecting.  NC creates a PAC file for the proxy settings and when we left the browser settings on as well - we would get the message.  We also found that that when a user does not close out of NC gracefully (Sign Out) it can leave the PAC file reference in the auto config portion of the Proxy page in IE and cause this error. Making sure that portion of the page is unchecked and clear of the .pac file reference cleared some issues like this as well. Hope this helps someone.



  • I am on a network with SAV corp. I killed both my Firewall and and SAV and I get the 23791 and 23679 errors. I though it was the windows updates so I did restore and still get the errors. Could the external port be an issue? Looks like my ITD changed the external ip but I get the error internally as well. What has to be looked at?



  • In summary:
    dsNcService.exe - Requires full access to 127.0.0.1 and access to the IVE IP.
    dsNetworkConnect.exe - Requires full access to 127.0.0.1



  • Ok, I managed to take in a laptop onto the corporate network, and setup the proxy etc, and I can confirm that the cause of the problem is norton AV. (Surprise surprise…) I had a copy of NAV, but I got a prompt asking me if I wanted to allow the DsNcservice.exe - which I allowed, and it all worked fine.
    The problem however, is that local clients, even with admin rights, can’t change any settings on the corporate edition of NAV. This has to be done on the servers, which are off site - is there any way around this to allow these two services to run (dsnetworkconnect.exe)? If not, how will I instruct the Server engineers what ports these services run on, to allow them to open up the access? I guess this is a question for the Norton people, but thanks for your previous help anyway.



  • Try uninstalling the client, all Juniper clients. I notice it can pick up DLL’s from other installs.
    23791 means something’s not letting the client load ok - firewall, anti-spyware, etc.
    If you can you might try 5.5 to see if the behaviour is the same.



  • I have got the same problem as Venkat, above. I have just upgraded the OS to thelatest reliease - 5.4R3 - but no change. I use IP pools, and the corporate network seems to be the only common denominator. Can any settings on the PC’s prevent the virtual adaptor from loading?
    Cheers,
    ZM



  • First, what code are you running? Not having access to UDP/4500  means the client will negotiate using SSL (as opposed to IPsec). This works fine but is much slower. UDP/4500 is the known port for NAT-Traversal - see if you can get this opened inbound to the external IVE IP.

    The 23791 error is partially a host problem - something blocking access. Try this “tcpview” - it’s free and shows you what process is binding to what port…
    http://www.microsoft.com/technet/sysinternals/utilities/TcpView.mspx

    The other part of 23791 are bugs in the IVE code I believe. I recommend going to 5.3R9 (or 5.3R10 is you use secure meeting) for a stable production release.



  • I am having a set of users who need to connect to a remote SSL VPN server. THey are facing this issue.THese users are behind a corprate firewall that allows access only to the SSL port(443)  of the VPN server. The strange thing is the conenctivity works for 1 laptop alone. The OS (XP SP2), patches, etc are similar. The error message is “The secure gateway denied the connection request from this client” (nc.windows.app.23791)
    (I don’t administer the VPN server and I am able to access the VPN from a direct DSL connection).
    I have checked and found that the PCs are not having any personal firewall/VPN software. Windows Firewall is also disabled.
    Can anyone guide me what could be wrong or at least where to look.

    Venkat


 

33
Online

38.4k
Users

12.7k
Topics

44.5k
Posts