Pulse Secure not working after switching between Pulse Secure VPNs

Dears,
We are having an issue with Pulse Secure VPN where we have users that uses multiple Pulse Secure VPNs to perform their work. If a user reboots their PC and connects first time on a Pulse Secure VPN all works fine, but if he disconnnects from a Pulse Secure VPN and tries to connect again then VPN authentication fails.

The only way of making VPN work again after connecting on a Pulse Secure VPN is to restart Pulse Secure client service on Windows 10. We updated Zscaler client connector to latest version, but issue persists. Any good ideia of how to resolve it? Thanks!

If Zscaler client connector is disabled, then switching between Pulse Secure VPNs works fine …

Miguel - without a packet capture of what is happening I can’t say for sure, but to me this sounds a lot like an issue of the server URL to login to Pulse Secure is going through the Zscaler Cloud when the ZCC is enabled first, or already enabled when Pulse is temporarily disabled and enabled again. There could be several reasons why the Zscaler Cloud blocks that connection (SSL Inspection, source IP address different from the client’s public IP, etc.)

My suggestion would be to determine that server URL that is configured in Pulst Secure and bypass it in a test App Profile and apply it to your test device to confirm this is the issue. The image below is an example of how that would be done by using the Mobile Portal, App Profile, selecting the client type, and editing the Hostname or IP Address Bypass for VPN Gateway. Note: This can also be done in the forwarding profile, or in an associated PAC file to either the App or Fwd Profile depending on your ZCC mobile configuration, but the app profile would provide a quick answer to the question of whether this resolve the issue.

Hi Harris, Thank you for your inputs !
I already tried to bypass some addresses at Hostname or IP Address Bypass for VPN Gateway, but not success. Today, we will do another try by creating a new Forwarding / App Profile as same users use 5 different VPNs (full tunnel and split) every day (very unusual), but we have to find a solution for this.

The idea that they are connecting multiple VPNs makes we wonder if you’re using one of Pulse’s newer SDN offerings that lets users connect to multiple VPN concentrators simultaneously. If so, is there a cloud component to this? Maybe you need to bypass some assets in the Pulse cloud? It may be worth opening a ticket with Pulse support as well to see if they have a list of FQDNs that should also be bypassed.

BTW, you might also want to look at Zscaler’s ZPA service. It’s a nice alternative to traditional VPNs and works very well with ZIA. It uses the same exact client, so you even lessen some agent sprawl. Apologies if this comes across as a sales pitch (because that’s exactly what it is ) but I’m a sales engineer. It’s in my nature :slight_smile:

1 Like

Actually, customer uses VPNs from 3rd party companies that they deliver services, so ZPA is not an option. Thanks for further inputs!

1 Like

Miguel,

We have users running Pulse Secure VPN to connect to 3rd party clients in full-tunnel mode. It is working fine via Tunnel 1.0, however, when we migrated to Tunnel 2.0, it stopped connecting. We had to rollback to Tunnel 1.0 due to other reasons.

In my testing, machines were running an older version of Pulse Secure 9.1R8. Once you upgrade to 9.1R13 or later, it works without any issues. Both on Tunnel 1.0 and Tunnel 2.0.

Just to add that remote Pulse sites are added to our App PAC to send direct as well as VPN Gateway Bypass.

1 Like

Great inputs and very useful, we will try to update Pulse Secure client asap. Thanks for sharing the experience!

Hi Raj, For us didn’t work upgrading the Pulse Secure client and we are still investigating the case. I will post the resolution when found.

After deeper analyzes on package captures, it was identified 2 additional URL needing bypass. After both added, Pulse Secure VPN stopped having switching problems between Pulse Secure VPNs.
Thank you for all valuable inputs!