Network Connect errors running on 6.4R2

  • hi, im just not sure why my configuration on SA 4500 got this kind of error;

    Network Connect errors

    i already checked the KB’s and i got no luck.

    please help if you already have any solutions…


  • Reapply a Not good solution……

    Dont use the much technical language
    give a solution in stepwise…

    Otherwise Jupiter is a geek software without any real use…

    Tell me how may people get this stupid error message 23791 and how many gets the real solution from this page…

    NONE… that the truth from our uni survey…

    If you create a nice software try to minimize the error…

  • Receiving Network Connect errors and
    Knowledge Base ID: KB8619
    Version: 4.0
    Published: 07 Oct 2008
    Updated: 07 Oct 2008
    Categories: SSL VPN


    When installing Network Connect I receive the error (when connecting with Network Connect in IVE OS 5.2 and higher) or the error (when connecting with Network Connect in IVE OS 5.0 and 5.1).  What is causing the error and how do I workaround the issue?


    When using Network Connect and connecting to the Secure Access via dial-up receive the following popup (this error is not limited to dial-up):

    The secure gateway denied the connection request from this client (
    This error means Network Connect is unable to establish a connection with the secure gateway.

    A variety of causes can contribute to this error, such as:

    The Bonjour component of iTunes or Adobe CS3 software or other software.  (Bonjour can be disabled or uninstalled leaving iTunes or Adobe or any other software that installed it.)
    Cisco VPN software needs to be uninstalled and installed after Network Connect is installed first.
    A firewall preventing Network Connect from establishing a connection.

    The key to determining where to start troubleshooting is analyzing the following:
    Who is affected by the error? Are all Network Connect users or a few Network Connect users affected?

    If all users are affected, the issue could be a configuration setting in the SSL VPN
    If only a few users are affected, it could be a software compatibility issue.

    When did the issue begin?

    Was the anti-virus software recently updated?
    Was the Sun JVM recently updated?
    Any upgrades to IVE OS?
    Microsoft Update recently run?
    Any network route changes?
    Any changes to the firewall rules?
    Is another host using the IP that is being leased to the end user?


    The can be caused by many different issues. Below is a list of possible solutions, split into Client side solutions and Server (Admin) side solutions, along with a list of general guidelines when using Network Connect.

    General Guidelines
    Sun JVM is required for Network Connect:  Consider using Sun Java JVM 1.4.2_04, 1.4.2_06 through 1.4.2_15, or 1.5.0_03 or 1.5.0_06 through 1.5.0_13 (Available from Sun Archive: Java[tm] Technology Products Download )

    For IVE OS 4.0 through at least IVE OS 6.0 - Minimum version of Java version 4 is:

    Sun JRE 1.4.2_04
    Sun JRE 1.4.2_06
    Sun JRE 1.4.2_15 (Released August 2007)  Update 15 is the only version that works with Win 98/Me/NT/XP/Vista, Netscape 7, IE6, IE7, and IVE OS 4.x through 6.x
    For IVE OS 5.2 through at least IVE OS 6.0 - Minimum version of Java version 5 is:

    Sun 5.0 J2SE 1.5.0_03
    Sun JRE 1.5.0_13 (Released 05-Oct-2007)

    Sun JVM version 6.0 or 1.6.0 will only work with IVE OS 5.5, 6.0 and higher.

    It is best to have only one version of Sun JVM installed at a time unless you have a very specific reason.  Having multiple versions of Sun JVM installed at one time can result in Java not working properly for any application that requires Java.  Try uninstalling all versions, reboot, and then install the only version you want to use that you know works.  Please consider unchecking Check for Updates Automatically under the Update tab in Java control panel.

    Upgrades - If you have recently upgraded the IVE OS, multiple versions of Network Connect can be installed without an issue. If some users do experience, try having the end user uninstall all versions of Network Connect. This is particularly more relevant if the previous version of Network Connect was 4.x. After uninstalling, also remove the directory C:\Documents and Settings[user name]\Application Data\Juniper Networks\Network Connect

    Certificates - Beginning with IVE OS 5.5R1, Network Connect drivers are digitally signed.  Check if driver signing is required in Control Panel > System > Hardware >Driver Signing

    Client Side Solutions
    Application Blocking or Conflicting- Check if an Anti-Virus, Anti-spyware, or other Internet Security software is blocking/preventing the connection. To check, temporarily disable the suspected application. If Network Connect works correctly while the application is disabled, consider adding a rule within the software/application to allow the Network Connect service.

    Common software applications to check:

    McAffee Privacy Suite 6.x (version 7.x works fine with NC)
    Escan Antivirus
    Adobe - some versions of Adobe software uses Bonjour – a component which must be disabled or uninstalled. Bonjour (comes with Adobe, iTunes, and other software)
    Ruckus music sharing/downloading software uses Bonjour networking as well
    IPass authentication
    Cisco client 4.5
    Cisco VPN client 3.6 ( the latest version is fine)
    Other VPN clients should be removed at least for testing purposes
    Hummingbird – this software may work if it is installed after Network Connect. If you recently upgraded, Hummingbird may need to be uninstalled and reinstalled.
    For more information: KB9216 - Network Connect: How do I check if the software installed on my client station is preventing access?

    Software Firewall - Is a software firewall blocking or preventing port 443, port 4500, or the loopback address from working correctly?

    Vista Personal Firewall must have port 443 in exceptions.
    Kerio Personal Firewall (versions older than 4.2.1). Must be upgraded or uninstalled.
    For more information: KB9216 - Network Connect: How do I check if the software installed on my client station is preventing access?

    Wireless - If using a Verizon wireless card (or Cingular or similar wireless modem), try disabling compression.  For other wireless connections, and if accompanied by a Windows error relating to svchost.exe, consider adding Microsoft KB916089

    Winsock issue - If the end user is running a Dell with XP SP2, please try:

    Browse to: Start > Run . Enter cmd to enter the command prompt window and issue the following commands:


    It is mandatory to restart the PC for this to take effect.

    IPSec client - If any other IPSec client is installed, such as Cisco, CheckPoint Secure Remote IPSec, try removing the client, installing NC and then reinstalling the client after Network Connect is installed.

    DHCP Client Service - Make sure that the DHCP client service is running on the end user’s PC.

    Documents and Settings directory - Make sure this directory is not encrypted.

    Test another profile or computer - Confirm the issue is not user profile or system specific by testing with a different user profile or have the user test using a different computer system.

    Server (Admin) Side Solutions
    Connection Profile- The profile can define an IP pool, use UDP 4500 from the user to the SSL VPN, use IVE DNS first, etc. Issues with the Connection Profile can generate the following errors:

    Items to check:

    Existance of a Connection Profile - Using the Admin UI, check Resource Policies > Network Connect > Network Connect Connection Profile to ensure a profile is assigned to a user role. errors typically occur if a Connection Profile does not exist.  In IVE OS 5.2 and higher, or is generated when the Profile does not exist.  To resolve the issue, create the connection profile.

    IP Pool - A connection profile provides access to utilize the SSL VPN built-in DHCP Server to lease IP address from a DHCP pool. The IP addresses can be in the same subnet as the internal port or alternately use any other not-in-use IP addresses. If you want to use an IP pool or addresses that are not in the same subnet as the internal port of the SSL VPN, you must define a network route on your routers so that the internal resources (end users) have a route back to the Network Connect leased IP using the SSL VPN as the gateway. The SSL VPN internal port will be the route’s gateway.  If the IP being leased is already in use, this can cause a error. If a network route does not exist but is needed, this will result in bytes sent but not received.

    IP pools can be the same IP range set in multiple Network Connect Connection Profiles but must be IP addresses not in use anywhere else on the network.

    DNS Settings - Ensure at least one fo the DNS and WINS fields have a server specified. If using Split Tunneling, change the DNS setting to use the IVE DNS first.,, and are errors indicating a missing DNS server entry.

    NCP Setting - In the Admin UI browse to System > Configuration > NCP and make sure that Autoselect is enabled and that numeric values exist.  (It is important to check this after an upgrade; specifically if errors start after an upgrade.)

    Static Network Routes - Static network routes only need to be set on the network routers when leasing an IP pool that is not in the same subnet as the internal port of the SSL VPN.

    Using traceroute, or similar tool, analyze the packet route information. Where does the packet stop?

    If bytes are sent but not received, this can indicate a network route is needed for traffic to route from a server through the SSL VPN as the gateway to the end user.  When setting a Network Connect Connection Profile IP Pool that is not in the same subnet as the internal port of the SSL VPN, it will require that static network routes be set on network routers.

    If you have an active/active cluster, define which node will be handling which portion of the IP pool defined for all users in a Network Connection Profile by using System > Network > Network Connect with different filters in each node of the cluster.  Settings under System > Network are saved in the system.cfg and are unique to each node.  (The user.cfg is shared with all nodes of a cluster.)  An example in System > Network > Network Connect might be node1 whereas node2 has with either a shared IP pool of or each node set with its own node-specific IP pool.

    Access Control issues affecting all users :

    Comma Delimited port list - Browse to Resource Policies > Network Connect > Access Control and check if any ports are listed with commas. If so, try creating the ACL using only a range or one port.  Comma delimited ports in some builds may result in a denial of access to all internal resources and can cause a errors.

    For more information on comma delimited ports, refer to: KB9967.  Note: if comma delimited ports exist in an ACL that does not apply to the role the users are role mapped to, it can still affect users.  If the IVE OS was recently upgraded and users are receiving the even though no changes have been made, consider reviewing KB9967.

    Protocol - It is required that all entries in the Access Control List start with a protocol.  For example, in the Admin UI > Resource Policies > Network Connect > Access Control List > and entry exists for Change this to: tcp://

    Subnet Mask - In the Access Control List, if you are specifying a subnet mask for one IP address, use the subnet  If you specify an IP address and the last octet is not 0, you cannot use a subnet mask of or it can cause an error.  You could, however, use a different subnet mask such as or

    Hardware Firewall - Check if a hardware firewall is blocking UDP 4500.

    Proxy Server settings affecting all or some users - Check the User’s browser proxy settings.
    Transparent proxies are not supported.
    Authenticating proxies can work but may need some attention.
    If there is an internal or external PAC file in use, it may need to be modified to include exceptions for the SSL VPN.

    Additional Troubleshooting
    If the above information did not resolve the issue, consider the following:

    Uninstall / Reinstall - Try uninstalling Network Connect, rebooting the system and reinstalling Network Connect. It is best to reinstall after deleting the directories listed below. Also, install using the Network Connect self installer.

    To manually remove Network Connect:

    Go to Add/Remove Programs
    Locate NetWork Connect and choose uninstall
    Delete the directories:

    C:\Documents and Settings[User name]\Application Data\Juniper Networks\NetworkConnectxx.
    C:\Program Files\Juniper\NetworkConnectxx.
    C:\Program Files\Juniper\Common Files.
    Clear cache and cookies.
    Reboot the PC
    Connect to the SSL VPN and attempt to install Network Connect using Admin UI > Maintenance > System > Installers.

    If the error continues, try uninstalling NC and uninstalling the JVM on the client. Once uninstalled, install JVM 1.4.2_04 or 1.5.0_03 and then reinstall NC using the executable from IVE Admin Console System Installers.

    Collect Logs - Enable client side logging for Network Connect and run the diagnostic tool.

    In the Admin UI under logging, enable client side logging for Network Connect.
    Click on Start > Programs > Juniper Networks > Network Connect and run Network Connect troubleshooting.
    Click on the diagnostics tab and select start diagnostics
    Click copy to logs.
    Select the logs tab, then click on Explore Log files.
    Close the program and open a support case. Attach all of the log files from C:\Documents and Settings<username>\Application Data\Juniper Networks\Network Connect 5.x.x folder to the JTAC case.

    If you have an internal or external PAC file in use, upload it along with a Visio or network diagram identifying the location of the Proxy Servers in the network.

    For more detailed information on collecting logs, please see KB9307 and KB9218



    Link URL:

    Link Title:

    KB9967 - After upgrading to IVE OS 6.0 R1 users get due to comma delimited ports in NC ACL

    Link URL:

    Link Title:

    KB9306 - How to troubleshoot launching/establishing a connection with Network Connect

    Link URL:

    Link Title:

    KB9307 - How to troubleshoot issues where Network Connect won’t stay connected

    Link URL:

    Link Title:

    After upgrading the IVE OS, end users get

    Link URL:

    Link Title:

    KB9218 - How to collect the Network Connect logs when opening a case with Juniper Technical Support</username>