FIOS G3100 Router - External VPN Issues
helpme62
Enthusiast - Level 1

I recently "upgraded" to the FIOS G3100 Router from the FIOS Quantum Router (due to a move) and can no longer VPN to my work network.  Below is a summary of the issue from my IT department.

    

Problem: Using and IPSec VPN connection to a Cisco firewall. After authentication, the firewall terminates the connection because the connection appears as a DoS attack. The logs show the following when connecting to the firewall:

2 Apr 06 2020 13:09:15 98.115.x.x x.x.x.x Deny IP teardrop fragment (size = 1480, offset = 0) from 98.115.x.x to x.x.x.x

Basically, the firewall is interpreting the connection as TearDrop DoS attack.

This works from other ISPs and the previous Fios connection. But under the new connection (and new router) the error occurs.

Any thoughts or advice on how to allow the FIOS G3100 Router to VPN externally would be appreciated. 

1 Solution
Cang_Household
Community Leader
Community Leader

Just for your information, VPN Fragmentation issue seems to be fixed in the latest firmware 3.1.0.12.

Users now does not need to use the Ethernet interface in order to connect to a remote IPsec VPN.

View solution in original post

29 Replies
Samsa
Newbie

I have only a basic knowledge of networking and recognize you folks are on a higher level, so this suggestion for a workaround might be quite obviously ridiculous. If so, please be kind...

The OP said the VPN works on a wired connection to the Verizon router but not on a wireless connection. Have you tried connecting another wireless router to the Verizon router, turning off DHCP on the second wireless router and turning off both wireless radios on the Verizon router, then connecting wirelessly to the second router? Your laptop would still be getting its IP address from the Verizon router, but this might "fool" the Verizon router into treating your connection through the second router as a "wired" connection, since the second router is literally wired to the Verizon router. 

0 Likes
Reply
Cang_Household
Community Leader
Community Leader

Yes. It should work as you described.

Update for the entire thread: a fix is on the way. VPN issue may be resolved in a future firmware update.

Cang_Household
Community Leader
Community Leader

Just for your information, VPN Fragmentation issue seems to be fixed in the latest firmware 3.1.0.12.

Users now does not need to use the Ethernet interface in order to connect to a remote IPsec VPN.

SamerN
Newbie

I am having the same exact issue. There must be something off with the firmware of these new routers.

I had both the older G1100 and the G3100 routers on hand at the same time so I was able to connect one router and test then remove it and try the same test with the other without changing anything on my laptop.

With the G1100, all is good. My VPN connects and I can access all the resources on the other network, or simply ping something in my office network.

But when I remove the G1100 and connect the G3100, My VPN still connects, but I just can't access any resources or ping anything in the office network.

For now the only way I can use my VPN is through a wired connection to the G3100 router. But obviously, that's annoying and I can't take my laptop anywhere in the house or VPN from my iPhone 😞

Verizon, please investigate this issue. There must be a bug in the G3100 firmware!!!!

0 Likes
Reply
Cang_Household
Community Leader
Community Leader

Hello SamerN.

I want to first mention that G3100 and G1100 are built completely differently by two separate manufacturers on two distinct platforms, so there is no meaningful comparison between the two.

To better assist you, can you tell us what type of VPN are you using? Since you said that the VPN can be connected, I am assuming the key exchange is fine. Have you checked whether your VPN requires static routing entries on G3100?

SamerN
Newbie

My company uses Shrew Soft VPN Client software. Below is some of it's config and then the connection screen. Hope the attachment below works this time.

Update: sorry, in screenshot red text at bottom, last sentence, it should say "can't ping any internal..."

image

0 Likes
Reply
Cang_Household
Community Leader
Community Leader

Shrewsoft, humm...., it is a VPN client software EOL and EOS for a couple years now.

Anyway, when you bring up the tunnel, are you sure that the computer is routing all the traffic to the company router? If you ask Google what's my IP, does it display the company's IP? From my understanding of Shrewsoft and VPN, without tunnel splitting, all traffic is sent through the virtual adapter, encapsulated for security, and sent over the computer's actual adapter to G3100, then over the broadband to your company's VPN router. Your company's router would decapsulate the packet and decide to forward the packet to the internal LAN or to external resources.

I am thinking about the tunnel is not even brought up yet. This could be G3100 blocking the NAT-Traversal by default. You might want to view G3100's Firewall Log to see any alerts. To further troubleshoot, do you know how to use SSH?

Also, who sets up the Shrewsoft in the first place? I know its interface is a little tricky. Did you set it up?

SamerN
Newbie

No my VPN is tunnel splitting. Google's What's my IP gives me the public IP of my router not my company's router (while the VPN tunnel is connected). Don't forget, that the VPN works perfectly fine if I use a wired connection between my computer and the G3100. The VPN doesn't work when I use Wifi between my computer the the G3100, yet VPN over Wifi worked fine with the G1100.

The VPN Shrewsoft file is setup by my company and everyone i work with uses the same file and it's the same file I used before with the G1100 and the same file with the G3100 over a wired line.

I have a good understanding of networking.. i used to be a network admin many many years ago and I am now in software and develop on a linux appliance. So, yes I know the fundamentals of routing and VPNs, just been out of the game for a long time so I am not familiar with all the latest details of VPNs. I know how to SSH. But wouldn't know what/where to go on the router to diagnose it. I just tried to ssh to the router and the connection was refused.

I checked the Firewall logs from the router GUI (thanks for the tip) and found these interesting two lines at the time of logging into the VPN wirelessly. These lines aren't there when I log into the VPN with a wired connection:

2021 May 24 21:58:48kernelwarning[FW] block fragment from 192.168.1.172 to <my work IP> protocol UDP source port 36070 dest port 20973
2021 May 24 21:58:48kernelwarning[FW] detect defragment error from 192.168.1.172 to <my work IP> protocol UDP source port 36070 dest port 20973

In the above, the 192.168.1.172 is my computer that I am trying to log in to the VPN with and the destination IP (which i removed) is the IP in the Shewsoft config (i.e. my office's router). Hope that this gives a clue.

Thanks for the help

0 Likes
Reply
Cang_Household
Community Leader
Community Leader

G3100 does come with better firewall than G1100. Probably this time the firewall is overzealous to drop legitimate packets.

Since you are using split tunneling, I doubt Googling what's my ip would go through the VPN, so this test is meaningless in hindsight. When you have the tunnel showing "up" and trace route a resource in the internal network, what do you see? If the VPN is in fact "up," the trace route should only display the IP address of the said resource, unless your company has layer 3 devices other than the VPN router in the network.

The logs you found are Firewall warning messages. It complains about defragmentation error, which is indicative of MTU mismatches on interfaces. I see you set your Shrewsoft Virtual interface's MTU to 1380, which is smaller than 1500 to account for ESP headers. You might want to double check the router's and your computer's wireless interfaces' MTUs. Make sure they set to either automatic or 1500 when in doubt.

G3100 does have a different wireless controller than G1100, which might be causing the issue. I might need to ask Verizon engineering for further clues.

Also, can you try to mess around G3100's wireless settings to see? Try 802.11ac only on 5GHz and 802.11n on 2.4GHz. Is your device 802.11ax capable?

SamerN
Newbie

My PC's NIC is Intel® Dual Band Wireless-AC 8260. So it doesn't do ax. The G3100 let's me only set the wifi to Compatibility Mode which includes ax or Legacy Mode with doesn't include ax. I tried Legacy mode and it didn't help.

Also yesterday I tried changing the MTU in the Shrewsoft config down to 1000 from 1380. Didn't make a difference. I changed the G3100 MTU from Automatic to 1500. No help.  Not sure where I can play with the MTU setting on my device's adapter.

Just to make matters more interesting. I have 3 offices in my Shrewsoft I can connect to. All use the same exact configuration (except for the IP of that office). 1 out of the 3 works without issues while I am on Wifi, but that's the one I don't normally connect to since it's international.

Here is a screen shot of trace routes showing the difference when on wifi vs wired.

image

0 Likes
Reply
Cang_Household
Community Leader
Community Leader

The tracert to the office resource shows the tunnel is not really "up." Since your MTUs are set to automatic, just leave them as automatic for now. Can you replicate the Shrewsoft settings onto your phone's built-in VPN? I just want to see whether you can use phone over WiFi to connect. You might need to download some ping and tracert utilities. I will take your observation to Verizon engineering for some insights.

SamerN
Newbie

I am not sure what you mean by this (The tracert to the office resource shows the tunnel is not really "up.")?

Both tracert are to the office. The one over wired connection completes and the other over Wifi timesout. Are you referring to the second one? In both cases, the Shrewsoft client says tunnel enabled.

Unfortunately, I have an iPhone and have tried to set it up with VPN in the past to those two office that aren't working now, and it couldn't be done so I can't test that 😞  For what it's worth, I have a laptop already configured with shrewsoft that was also working fine before and now has the same issue. The laptop doesn't have a wire ethernet (unless i get a dock) so i can't use it for work right now.

0 Likes
Reply
Cang_Household
Community Leader
Community Leader

Hello again, I attempted to use the IPhone's native IPsec client to connect to my test VPN behind a G3100 via WiFi, it failed as well. I am contacting Verizon engineering for insights.

Cang_Household
Community Leader
Community Leader

I have sent you a private message, please check. You can access your private message box by clicking on your account name on the right hand side of the page, and then click the mail icon on the pop up menu. Thanks.

lastofko
Newbie

What is the solution?

0 Likes
Reply
Cang_Household
Community Leader
Community Leader

Hello lastofko,

I have brought this issue to Verizon engineering and they are looking for causes and solutions. 

The current workaround is to connect an Ethernet cable between the G3100 and the computer. The internal resources on the other end seem to be accessible through this way.

What do you see in G3100's log when you are having VPN problems? Defragmentation error?

bulls23ant
Newbie

Hi has any resolution been found for this issue since the last comment? I am having exactly the same issue the original poster had. Which is I'm unable to stablish a VPN connection with my office. I'm using Shrew VPN and setting are identical to the screenshots he posted changing the hostname were I'm connecting to. I keep getting the same error over and over again in the firewall logs:

image


https://drive.google.com/file/d/18ZSpR21YjIg0ZOZkccGaPsPKSBjRv4jY/view?usp=sharing

The ports change so I can't really forward them. I have forwarded all of the recommended ports I have found while searching posts in this forum of people with the same issue. 

I can't hardwire into the router because of the layout of my house so my current workaround is to temporarily place my laptop on the DMZ, connect, upload-download what I need and then take my computer out of the DMZ. It's 5 min at most but it's still not great. Luckily I don't have to be connected constantly. Any help will be appreciated.

0 Likes
Reply
Cang_Household
Community Leader
Community Leader

Sorry, I don't have further suggestions. Defragmentation error via WiFi interfaces is now a known error as multiple users have reported it.

glump23
Newbie

I'm having the same issue except that it works on wireless (with the firewall set to low), and doesn't work when I'm hardwired. 

0 Likes
Reply
Riplead
Newbie

Hi! I'm having the exact same issue. Were you able to get this resolved?

Thanks,

John

0 Likes
Reply