Pulse Secure Desktop Client Failing

[tagfoto]

Hey all - my company uses Pulse Secure and Duo for VPN authentication. I am obliged to use a Windows 10 laptop (company provided) to access the VPN as Unix is not supported and so I am out of my element. Making things even more complicated - I do not have admin rights on the company box. Until recently the VPN worked well. On boot I would login to Windows and immediately be prompted by Pulse Secure to enter my Duo passcode. At that point the desktop would load and I could access my databases via putty (I'm a DBA). As of 20 January this login behaviour changed. Once I enter my Windows login credentials I am immediately taken to the desktop. A couple of minutes later I get a Pulse error message:

Pulse Secure Desktop Client. Your connection has failed. Reason: logins temporarily disabled from this computer. (1330).

Running the Pulse client manually produces the same error.

Nothing config related was modified on my box and the Network Admin tells me nothing was changed on his side either. I use T-Mobile 5G and it works surprisingly well. My logs on my NetBSD box show that my IP was changed on 19 January which may or may not be related. My Gateway device (Sagemcom Fast 5688W) uses DHCP and the IP has changed before without impacting anything.

The laptop behaves normally in all other respects - accessing the web via browsers and accessing the other boxes on my LAN (Ubuntu, Slackware and NetBSD).

Bottom line: I don't know if this is a Windows issue, a Pulse issue or a T-Mobile issue. Likewise I don't know if the issue is on my side or at the company data center so I don't know where to start the bug hunt.

Because I don't have an account with Ivanti I can't use their tech support. Any help most appreciated!

- Thomas

 

[L&LD]

Welcome to the forums @tagfoto.

Isn't this your company's IT problem?

 

[RMerlin]

Since you don't have admin rights on that laptop, there is little that you could do to fix this yourselves even if the community here tried to help you. That will have to be sorted out by the tech support of the company that manages your laptop unfortunately.

If your public IP has changed at around the same time then it's possible that on the server side they use a whitelist to determine which IP addresses are allowed to connect. That will need to be sorted out by them - only they know what kind of setup they have on the server side of things.

 

[tagfoto]

Welcome to the forums @tagfoto.

Isn't this your company's IT problem?

Hi, I ride motorbikes and do my own oil changes, drive chain adjustments, etc. It's faster (cheaper) and gets done right. Regarding this specific issue, I brought this to my Network Admin and he has no idea what's happening. So I could wait for my colleagues to figure it out or do it myself and get back in the saddle. Given that I am on call for database issues 24/7 it's better to fix this sooner rather than later! You know how it goes, start the bug hunt by ruling out possible explanations - that's where I'm at as we speak. The other thing is, total failure is easier to diagnose than intermittent. A fellow Triumph rider posted last week saying that he had washed his Bonneville and then it wouldn't start. The answer from several experienced riders? Spray some WD40 on the kill switch. Simple, fast and for this guy - effective. Have a good one!

 

[L&LD]

With no admin access, there is little for you to spray WD40 on. Just saying...

 

[dave14305]

According to this:

Pulse Secure Client Error Messages

help.ivanti.com

the error message code is “kMsgEapAMErrJuacIpBlocked”.

Try to force an ISP IP change somehow, or go back to the tech support guy.

Do you have access to the Windows Event Viewer? There should be a Pulse log under “Applications and Services Logs/Pulse Secure/Operational”.

 

[tagfoto]

With no admin access, there is little for you to spray WD40 on. Just saying...

I'm just a unix guy adrift in a windows world so I have always found ways around not having admin rights on a windows box. For example, the FAR Manager has Netbox so you can scp files from a Norton Commander style UI. Also many of Stallman's GNU utils have been ported to windows. Vim too. No install necessary for these apps. Apache and Postgres can also be installed without admin rights. And of course putty too. I don't use an IDE, I have FAR on windows and Midnight Commander on BSD and Linux because they are great tools. I get the job done somehow!

So what was wrong here? Well, I did some research. Several users had complained to T-Mobile about VPN issues when everything else worked fine. So I hooked up an old router and modem combo to a Spectrum line (no longer used but haven't had time to return to close the account). Pulse worked. I called T-Mobile and they ran diagnostics and did some conf. They actually admitted it was a known problem. Wow. Once they finished I power cycled the gateway (Sagemcom Fast 5688W) to flush the ram and lease a new IP. That worked. A lot of times when you have consistent failure it's something stupid - like when you forget to put gas in your Suzuki S40 and stall out on Hylan Boulevard. Not that I ever did that...

So what do you do? I write database apps using the LAPP protocol stack (Linux - Apache - Postgres - Perl).

Anyway, thanks for your support - I do appreciate it. Be Well.

 

[L&LD]

I like the out-of-the-box thinking here!

 

[sfx2000]

This is likely more for the IT folks - with TMobile Home Internet - one needs to reduce the MTU size down for the. VPN client app - I would try MaxMTU of 1420, and adjust from there.