Skip to main content

I'm having issues connecting to my work network over vpn which was supposed to be fixed with this version of the firmware. My vpn client is Anyconnect Secure Mobility Client if that helps you to identify the problem. 

 

*Admin: eigen topic voor je vraag aangemaakt

Hi @emre gultekin . Our modems don't actively block VPN so it's most likely an issue with your settings.

What does your system administrator say? 


The Cisco AnyConnect Secure Mobility Cliënt is one of the hardest VPN cliënts to troubleshoot. We used to use Cisco AnyConnect as well but we stopped due to two reasons…

  • License costs.
  • Lot of troubles in maintenance and usage.

On what type of machine are you running the client and which OS and version runs on that machine?


Hi @Erwin_ , I have not contacted them yet because when I try the same connection on the tethered network from my mobile phone Anyconnect client connects successfully. The VPN server uses a self signed certificate however and in both of these attempts I need to disable the untrusted server blocking feature in the VPN client to be able to connect. 


The Cisco AnyConnect Secure Mobility Client is one of the hardest VPN clients to troubleshoot. We used to use Cisco AnyConnect as well but we stopped due to two reasons…

  • License costs.
  • Lot of troubles in maintenance and usage.

On what type of machine are you running the client and which OS and version runs on that machine?

Hi @wjb I can't say that I am an expert in network diagnostics but I agree with you that it does not help much. I could not see a proper log on the client side more than what I see on the gui itself. I use the 4.7 version of anyconnect to connect on a macbook pro running the macos mojave edition. I also tried with no success with the same version of VPN client on a Windows 10. 


I wish I had the knowledge to help you with this. All I can say with certainty is that the experiabox doesn't interfere.  Exception is the ‘buitengebied’ proposition where you use a v10 or v10a with an extra 4g modem. This combination can cause issues in combination with vpn.

@wjb may have a usefull suggetion and otherwise my advise would be to take this up with your sysadmin. 

 

Is there an alternative for the client you are using? 

 


Since you encounter this problem on two different machines and even with different operating systems the chance that the cause is the client itself is quite slim.

Have you ever been able to setup a VPN connection from home?

Would it be possible for you to test what happens if you connect one of those machines to the wifi hotspot of your phone and setup a VPN connection while connected to the phone.

Does that work?

 


Since you encounter this problem on two different machines and even with different operating systems the chance that the cause is the client itself is quite slim.

Have you ever been able to setup a VPN connection from home?

Would it be possible for you to test what happens if you connect one of those machines to the wifi hotspot of your phone and setup a VPN connection while connected to the phone.

Does that work?

 

Setting up a VPN connection seems to be basically the same for this VPN client as it consists of a single step, putting the IP adress of the server in and pushing the connect button. This works if I try it with the mobile hotspot and fails if the Windows or the Mac computer connects through the Kpn home network. 

Your question about if I ever had a succesful VPN connection from the same home network reminded me my second Windows 10 laptop which I occasionally use and could successfully connect with an AnyConnect client (I don't remember the version unfortunately). The major differences in that case are first I don't have admin privileges on that machine and second the VPN server ip that I use for connection is something else. 

I am totally puzzled now, the network I use for making the connection could not be the reason since I can connect with a separate machine to another vpn server using the same network but it could also be as well since I can connect to the problematic vpn server only by using the hotspot instead of home network. 

@wjb Do you think the self signed certificates used by the  problematic vpn server could anyway result in such a weird behavior? 

 @Erwin_ and @wjb I would like to thank both of you for taking your time, I really appreciate that. 

 


This works if I try it with the mobile hotspot and fails if the Windows or the Mac computer connects through the Kpn home network. 

So you can setup the VPN connection when your computer is connected through the the hotspot of your phone.

This reduces the amount of possible causes and it seems that there is no problem with the client configuration and certificates.

Do you know which subnet is used by your employer?

Is this the same subnet as the local subnet of your Experia Box (192.168.2.0/24)?

Is IPv6 active on your Experia Box?

If yes, what happens if you turn IPv6 off on your Experia Box or computer?

Can you ping the IP address (or URL) of the VPN server you connect to?


This works if I try it with the mobile hotspot and fails if the Windows or the Mac computer connects through the Kpn home network. 

So you can setup the VPN connection when your computer is connected through the the hotspot of your phone.

 

Yes, exactly.

This reduces the amount of possible causes and it seems that there is no problem with the client configuration and certificates.

Do you know which subnet is used by your employer?

After connecting successfully with the hotspot of my phone, I could check the subnet. It is not as the 192.168.2.x but rather look like 10.1.255.x

Is this the same subnet as the local subnet of your Experia Box (192.168.2.0/24)?

Is IPv6 active on your Experia Box?

No, I see that it is set to ‘Disabled’ which I suppose is the default value.

If yes, what happens if you turn IPv6 off on your Experia Box or computer?

Can you ping the IP address (or URL) of the VPN server you connect to?

Yes, I can ping in all configurations. Actually, anyconnect could receive the server certificate as well while connecting on my home network. It warns me that the certificate is self signed and asks if I would like to connect anyway. When I click on ‘Connect Anyway’ button, it stucks for about 2 minutes and turns back to the establish connection state where the IP of the server is displayed in a combobox next to the ‘Connect’ button. If I use the mobile hotspot, it suddenly connects after clicking on ‘Connect Anyway’.

By the way, one of the things that I noticed about the connection from home network through the Wireshark logs is the communication of a sequence of TCP Dup ACK and Retransmission packets. When I searched for these packets, I found the following link from Cisco site which points to a recent bug in a specific version of the firewall. I don’t have a service contract so I could not see the whole bug details and I also don’t know whether the firewall being used is the same version as the bug record but I started suspecting the communication stops due to corrupt packets delivered by the  buggy firewall.

Here is the link if you would like to have a look. The bug report indicates that configurations which uses a modem is some other setup that the bug occurs.

https://quickview.cloudapps.cisco.com/quickview/bug/CSCud57196

Thanks again for tracing the problem with me so far.  


So, the subnet differs and that is good, another possible cause gone.

And IPv6 is disabled so that doesn't affect the VPN connection as well.

You can ping the VPN server so there is no routing issue.

In other words all lights seem to be green.

The bug you refer to would mean that your Internet connection is very slow.

Is that also the case?

I think you should discuss this with the IT guys from your employer.

Unfortunately I am running out of options. :sweat:


So, the subnet differs and that is good, another possible cause gone.

And IPv6 is disabled so that doesn't affect the VPN connection as well.

You can ping the VPN server so there is no routing issue.

In other words all lights seem to be green.

The bug you refer to would mean that your Internet connection is very slow.

Is that also the case?

Not really, I don’t have problems by means of speed with my home network connection so far.

I think you should discuss this with the IT guys from your employer.

I already created a ticket for them to check the configuration. However, I’m not very optimistic since I know other colleagues that can connect from their home network with providers other than KPN. I have to admit also that I am not aware of any other colleague having this problem with KPN.

Unfortunately I am running out of options. :sweat:

No worries, you have already eliminated lots of possible causes. It is a weird case anyway.


For those who might find this thread while troubleshooting a similar issue, a workaround could be decreasing the MTU size in the network adapter settings. When I set the MTU size to 1450 instead of 1500 on my Wi-Fi adapter, Anyconnect client succeeded connecting to the VPN server.