mifi - cisco ipsec vpn connection blocked once connected
lawson23
Enthusiast - Level 2

Has anyone noticed any changes about a week ago now I have a user who can connect to our vpn but once he is on the vpn he no longer can do anything it is like Verizon is blocking everything on his mifi once the encrypted connection is made.

I know it is a mifi issue because he can disconnect plug into the hotel network and get right on and do what he needs.

0 Likes
Reply
10 Replies
lawson23
Enthusiast - Level 2

He can connect to vpn but packets never transmit.

so we have ruled out laptop by sending out a new one with a fresh build.

we have ruled out the account by testing with a different account.

we have ruled out the permissions by having him test with admin permissions.

we have ruled out the device by getting a replacement mifi.

we have ruled out the sim card for the device by trying with his wife's usb device with a different sim card.

And the final conclusion...

We had a problem with another user unrelated and not even the same type of issue.  Fixing that issue fixed our verizon users issue.

basically Verizon connections now require nat-traversal to be enabled now.  Enabling this in our ASA fixed the ESP communication problem.

John_Getzke
Champion - Level 1

Great feedback, thanks for sharing what you have learned!  I'm glad to hear you got it working.

0 Likes
Reply
lawson23
Enthusiast - Level 2

ok here is where the fun begins:

Discussion with Verizon:

First suggestion there is a known issue where you must set wireless to use 802.11g or b.  We already did this like a year ago but asked user to verify it is still set.

Second suggestion is to upgrade the firmware as the device is two versions behind.

Here is the kicker.  Verizon will NOT in anyway analyze the traffic to see where the issue is.  They could easily tell this.  So if the above two recommendations do nothing we have no choice but to leave Verizon.  They will not further investigate this, period.  I argued this with advanced network support for about an hour.

Also to note the device is no longer under warranty any longer I believe.  So Verizon can manage the network but will NOT ever investigate if their management is causing customer issues.

0 Likes
Reply
John_Getzke
Champion - Level 1

Those responses from VZW support are typical.  Very rarely will you get a 1st or 2nd level tech that will go beyond the basic troubleshooting steps or understand what they are supposed to resolve by applying them.

Regardless, the important thing is that you call in the problem and get it documented.  That way you can use it as leverage for early termination if you are not satisfied with the results.  VZW has been noted to discount the months where the service has gone bad in some scenarios.

Unfortunetly in your case VZW is hiding behind the "out of warranty" excuse.  They almost certainly do have engineers who can do what you want them to, but they also have the right to decline to do so too.  You will have to evaluate what will be cheaper to you in the end, early term or ride out the contract.  Early Term Fees are 175.00 last time I checked.

0 Likes
Reply
lawson23
Enthusiast - Level 2

well I have no idea what level of tech I got as he was not the original tech as I pushed him to get someone qualified.  Eitherway this guy did not seem very smart because he kept saying we can't monitor vpn traffic.  I had to state multiple times I'm not asking you to look at the contents but look at the packets for the esp protocol and determine what is going on where.

Well term fees or not it really does not matter if this does not fix the issue the device is useless.  This device is for one reason only basically and that is so this sales person can always get connection to our network.

0 Likes
Reply
John_Getzke
Champion - Level 1

Keep us posted either way.  It will be helpful to look back upon this thread incase it happens to someone else in the future.

Considering all that has been shared so far it sounds like a defective MiFi to me.  We would know for sure if you swapped the SIM with another MiFi and were able to recreate the problem.  Since you are out of waranty it will cost you atleast 100.00 to get a new/refurb device to your user should you choose to stick with VZW.   

0 Likes
Reply
lawson23
Enthusiast - Level 2

The resolution when monitoring this traffic from my asa with a cisco tech is that on his side the esp protocol is being blocked.  UDP is open and why he can make the connection but once he is connected all esp traffic is dropped on his end.

0 Likes
Reply
John_Getzke
Champion - Level 1

Bringing in the Cisco Tech was a good idea.  Now we have something solid to work with.

Since you have evidence that this MiFi is blocking specific traffic then it is up to VZW to correct the problem.  First I would try restoring the defaults on the MiFi incase it is a simple configuration problem that has gotten in the way.  If you are still having issues beyond that then I would contact VZW support for a replacement device under warranty. 

A great way to pin VZW support would be to grab another MiFi and proove that your VPN tunnel works just fine.  The MiFi should not be blocking this type of traffic and I dont know how a user would be able to configure such a change even by accident.  Most of the routing and forwarding options are ineffective anyways due to the SIM card network.

0 Likes
Reply
John_Getzke
Champion - Level 1

This is the first complaint that I have heard about the MiFi/VZW blocking VPN content.  From my experience I have noticed that IPSec VPN's tend to get blocked more often than SSL VPN's.  Perhaps you could have your customer try to connect with the Cisco AnyConnect SSL VPN instead to compare?

Its also strange that the user would be allowed to complete the tunnel if all the communication is getting blocked.  Normally if VZW was going to block the content it would be blocked before the VPN connection was made and not after.  Can you provide some examples of work that your customer is trying to do while connected?  If it's only work through a browser then the perhaps proxy settings may be corrupted on that particular browser.  Have the customer try a different browser or recreate the work or similar work while disconnected from the VPN and compare.

One final thought would be that the problem is location specific.  Have the customer try to VPN connect in a different location and look for any consistencies.

0 Likes
Reply
lawson23
Enthusiast - Level 2

At first we did think it was location specific since he was on the road but when he got back home he had the same issue.

Also this affects more than one service and I can watch the vpn connection and basically no data is being transferred rx or tx stays at 0 bytes.

Anyconnect is not an option right now.

0 Likes
Reply