cancel
Showing results for 
Search instead for 
Did you mean: 

Problem with Global Protect VPN (connection to my workplace)

andrewgallagher
Hooked
Posts: 7
Thanks: 2
Registered: ‎11-09-2020

Problem with Global Protect VPN (connection to my workplace)

Hi,

 

Been having an ongoing problem connection to my workplace VPN for several months now. The connection is highly unstable, or impossible at times. Been working around it by tethering to my mobile which works perfectly, if a litttle slow, but it's becomming impossible now as I need to be connected to the VPN more and more.

 

The VPN software is Global Protect. I've spoken to my IT team at length, as well as PlusNet tech support, and neither understand what the problem could be. I've tried a new VDSL modem, a new router and connecting via ethernet, none making any difference.

 

Any help appreciated!

 

Andrew

 

 

Tags (2)
21 REPLIES 21
VileReynard
Hero
Posts: 12,616
Thanks: 579
Fixes: 20
Registered: ‎01-09-2007

Re: Problem with Global Protect VPN (connection to my workplace)

You need to identify the cause of the problem.

Buying different hardware is just guessing.

For example, have you tried connecting via the VPN to a few well known web sites at these difficult times?

Perhaps the VPN becomes "over-loaded" - so you could try a speedtest over it.

 

"In The Beginning Was The Word, And The Word Was Aardvark."

RichardB
Seasoned Champion
Posts: 1,045
Thanks: 352
Fixes: 39
Registered: ‎19-11-2008

Re: Problem with Global Protect VPN (connection to my workplace)

Hi

Have you checked the Plusnet firewall settings?

https://www.plus.net/member-centre/broadband/firewall

You will need to login to your account and after making any changes, drop and reconnect the PPP connection to Plusnet.

The easy way to do the latter is to reboot the router.

Regards

Richard

andrewgallagher
Hooked
Posts: 7
Thanks: 2
Registered: ‎11-09-2020

Re: Problem with Global Protect VPN (connection to my workplace)

Thansk Richard,

 

Firewall is set to "off". Was actually surprised to see this, as I would have expected "low" to be the default, but don't think this is the problem.

 

Andrew

andrewgallagher
Hooked
Posts: 7
Thanks: 2
Registered: ‎11-09-2020

Re: Problem with Global Protect VPN (connection to my workplace)

Hi VileReynard,

 

I've done quite a lot to try to identify the problem, and the new hardware was at the recommendation of one of the Plusnet tech support analysts that I spoke to on the phone.

 

  • My connection to standard web pages is fine. I can load public pages as normal.
  • The cause does not appear to me my physical laptop as a work colleague has also attanpted to connect to our VPN using my broadband and cannot connect, but can connect eleswhere.
  • I can tether to my mobile phone, or use my neighbour's Virgin broadband and both methods give a flawless connection to my VPN.
  • It also doesn't appear to be a wifi issue as I've tried multiple channels, 2.5 and 5GHz connections and also connected via ethernet cable, all with the same result - not able to connect to the VPN.
  • I've worked with my IT department to change the adapter settings, do a DNS flush and attenpted to connect to alternative servers.
  • I've run a ping for 15 mins to see if my connection is dropping an dit is not, and this has also been confirmed by Plusnet tech support.

 

My work IT depertment are quite adamant that there is a problem accessing the VPN server via the Plusnet network, and that there is a server settion that is incompatible with Global Protect VPN software, or that access to VPN is blocked.

 

Plusnet tech support (multiple different advisors) are advising me over the phone that they "do not support VPN access", which if true means that after 6 years as a plusnet customer (where this has worked for years!) they are no longer delivering the basic service I need to do my job and I'll need to find a new ISP. I'm also in a contract for another 10 months as I updgraded my line speed at the start of lockdown.

 

From browsing this forum I understand that other users have had this issue connecting to workplace VPNs and it has been rectified by Plusnet staff on this forum, but nobody that I speak to in phone support knows how to do this.

 

For now I'm going to try directly messaging the guys who seem to have come up with solutions in the past, but would appreciate it if anyone has any advice on tackling this.

 

Thanks,

 

Andrew

 

 

 

tpw
Newbie
Posts: 4
Registered: ‎05-10-2020

Re: Problem with Global Protect VPN (connection to my workplace)

Did you get this sorted? I'm having similar problems.

oddbloke
Newbie
Posts: 4
Registered: ‎06-10-2020

Re: Problem with Global Protect VPN (connection to my workplace)

Hi,

I'm having an identical problem. My current setup:

I've installed GlobalProtect VPN software on my work PC, plus the certificates. GlobalProtect software says I'm connected, but then very ltitle traffic gets through. (When pinging a known address, maybe 90% of the pings will fail.)


So as to eliminate other possibilities, I have replaced the network card in the PC, I have changed LAN cables, and a new modem is on its way "just in case". But what is most telling is that I drove my work PC round to my parents (about 20 miles away) to test on their broadband connection, AND IT WORKED CORRECTLY.

 

Whilst it *could* be my modem ... any traffic that does not go via the VPN is perfect. Netflix, Youtube, websites ... no problem at all. The modem is less than a year old, and I've temporarily replaced the PSU just in case that is failing. And the company I'm connecting to has over 500 employees working from home, and they're all fine. So I really don't think it's a problem with the office, and it's exceedingly unlikely it's my modem.

It's worth noting: I've had a static IP address for the entire time I've been a Plusnet customer (many years now). I see multiple other threads on this forum about problems with some IP address ranges. So I'd be interested in knowing whether my IP address could be in a "problem" range.

I was cut off from the customer support line twice last night whilst on hold, and I couldn't even get in the queue this morning. So I'm finding it difficult to find anyone to speak to, and I've so-far lost about 4 days work. Sad

ChrisWoods
Rising Star
Posts: 55
Thanks: 2
Fixes: 1
Registered: ‎11-08-2015

Re: Problem with Global Protect VPN (connection to my workplace)

What routers are you using? (all affected people) and do you know what protocol and type of VPN you are establishing? SSL? IPSec? GlobalConnect protocol or other? Which versions of PAN-OS is your workplace using? I did note a known issue with older versions of PAN-OS on certain firewalls where traffic stopped flowing, https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClX3CAK

 

You need to get your IT department to offer you an alternative VPN solution and see if that works successfully to your on-premises' VPN endpoints. If, for example, an AnyConnect, OpenSSL, f5 or Zscaler link works, it's something specific to your organisation's configuration of their GlobalProtect deployment. If it affects all VPN connections equally, it's more than likely an issue with the Plusnet router software. Consider buying an alternative modem/router which works on Plusnet with VDSL and try that instead of the Plusnet hub.

oddbloke
Newbie
Posts: 4
Registered: ‎06-10-2020

Re: Problem with Global Protect VPN (connection to my workplace)

Hi Chris,

Many thanks for your reply!

We are using PAN OS version 9.14 (much later than the bug described in that link) and GlobalProtect agent 5.1.1. The protocol we are using is IPSec.

I'm not using the Plusnet modem. I'm using a Netgear DM200 which is only six months old. It has absolutely no non-standard settings poked into it other than my ADSL login. There is no traffic shaping or port remapping.

The company I work for has successfully moved their 500+ staff to remote working during the pandemic. So you can imagine how well the suggestion will go that they should implement a new VPN method, just for me.

Sorry if I sound a bit shirty, but your forums have quite a number of complaints about VPN not working, only certain IP address ranges being affected, etc. My complaint is not a new one. As I'm a static-IP customer, such problems are going to affect me 0% or 100% of the time. Could we experiment with giving me a different IP? It'll be a bit of a pain for me to get my address changed with the companies that rely on my static IP address, but that's doable.

ChrisWoods
Rising Star
Posts: 55
Thanks: 2
Fixes: 1
Registered: ‎11-08-2015

Re: Problem with Global Protect VPN (connection to my workplace)

To clarify, I'm not Plusnet staff, just another customer. I doubt it's anything to do with IP ranges, I had dynamic then static for many years, no ill effects for VPNs.

 

VPNs encapsulate traffic and expect a standardised packet size (the oversimplified answer is usually a 1500 MTU and MRU for DSL, cable and most standard internet traffic). IPSec encapsulation adds 73 bytes to your traffic.

 

I've not used Netgear home kit for a while but I remembered something about the MTU default being too high (thus fragmenting outbound packets) - check your device's MTU and MRU settings. In some cases they may be 1492, if so reduce them to 1472.

Quick way to test is by first pinging something while not VPNed, e.g.

ping 8.8.8.8 -f -l 1472

That should return ping responses. Increment to 1473 and you should instead see "Packet needs to be fragmented by DF set."

Establish the VPN, and ping a known server (your DNS/DHCP/AD server or fileserver, first with 1472 then 1473. See what happens.

Check the MTU being set by the VPN virtual adapter, if you can. It should be much lower, in the order of 1436 or even 1400.

 

If that all seems to check out, try both tests again with a 1472 packet size on the Netgear . if it doesn't echo back, your VPN encapsulated traffic is being fragmented.

 

You're not the first person to report problems with the DM200 and IPSec VPNs -

Unfortunately if that doesn't fix it, it may be a bug in the DM200 firmware. Checked you're running latest available FW?

7up
Community Veteran
Posts: 15,855
Thanks: 1,602
Fixes: 18
Registered: ‎01-08-2007

Re: Problem with Global Protect VPN (connection to my workplace)

Well plusnet do carry VPN traffic - I have my PC setup as a vpn server and can get into it from my phone. It's the older MS VPN though not one of those 3rd party protocols. Unfortunately i doubt he vpn servers you are trying to access will let you use the windows vpn client to connect.

I think it's time to tag @bobpullen and see if he can shed some light on this issue. An ISP needs to be able to provide connectivity in the age of connectivity. If plusnet can't or won't then they need to say something about it.

We've had issues come up previously that looked like plusnet was deliberately blocking traffic. Bob got involved and sorted it - can't remember what it was but i think it was something to do with certain IP ranges.

I did last year have an issue myself though with my vpn where i could connect to my PC and access all my files but couldn't use the internet through it - i was a couple of hundred miles up north at the time too so the vpn packets were travelling quite a long distance. Never did get to the bottom of that and had no netbook with me to use rdp to login properly but it did leave me wondering if there was something in the phone network somewhere playing up.

I need a new signature... i'm bored of the old one!
oddbloke
Newbie
Posts: 4
Registered: ‎06-10-2020

Re: Problem with Global Protect VPN (connection to my workplace)

So ... I think I might have fixed it. By replacing the modem. Gaaaaaaaaaah!

I haven't had the modem long, and it's still supported by Netgear. As part of debugging this problem, I hard-reset it, then flashed it to the latest firmware, then just put my Plusnet name and password in ... left everything else set as standard. No difference. And it has behaved flawlessly so far for ordinary domestic Internet use, and still continued to work for domestic stuff even when the VPN connection was failing.

But just for "fun" I've just replaced it with a new DrayTek modem, and ... kapow! I've just connected to work, and transferred a 3GB file with no problems at all!

So thanks everyone for your support and getting back to me, but it looks like the fault was with my hardware all along! I'm very sorry to waste all your time!

ChrisWoods
Rising Star
Posts: 55
Thanks: 2
Fixes: 1
Registered: ‎11-08-2015

Re: Problem with Global Protect VPN (connection to my workplace)

Sorry, I posted a reply yesterday which would have helped you - but the PN forum software helpfully considered it as spam and hid it from public view (I've requested it be unblocked).

I'll edit this post once it's restored - meanwhile it read as follows (without useful links, which is what I think caused the filter to trip):

 

To clarify, I'm not Plusnet staff, just another customer. I doubt it's anything to do with IP ranges, I had dynamic then static for many years, no ill effects for VPNs.

 

VPNs encapsulate traffic and expect a standardised packet size (the oversimplified answer is usually a 1500 MTU and MRU for DSL, cable and most standard internet traffic). IPSec encapsulation adds 73 bytes to your traffic.

 

I've not used Netgear home kit for a while but I remembered something about the MTU default being too high (thus fragmenting outbound packets) - check your device's MTU and MRU settings. In some cases they may be 1492, if so reduce them to 1472.

Quick way to test is by first pinging something while not VPNed, e.g.

ping 8.8.8.8 -f -l 1472

That should return ping responses. Increment to 1473 and you should instead see "Packet needs to be fragmented by DF set."

Establish the VPN, and ping a known server (your DNS/DHCP/AD server or fileserver, first with 1472 then 1473. See what happens.

Check the MTU being set by the VPN virtual adapter, if you can. For many it may often be much lower, in the order of 1436 or even 1400, however your adapter may be trying to force a 'standard' MTU which is being fragmented during encapsulation.

 

If that all looks appears correct as expected, if tests with a 1472 packet size through the Netgear don't echo back, your VPN encapsulated traffic is either being incorrectly fragmented by the DM200 using the wrong MTU, or it's mangling / losing VPN packets.

 

You're not the first person to report problems with the DM200 and IPSec VPNs - one discussion elsewhere suggests forwarding port UDP 500 for IPSec and enabling ICMP reply to WAN echos ("Respond to Ping on Internet Port") and you should locate and disable any Netgear firewall or traffic filtering.

 

Failing that, it's likely a bug in the DM200 firmware which an update may solve... If there is one. Probably worth using another Plusnet VDSL-compatible device -- as you've found.

dvorak
Moderator
Moderator
Posts: 29,716
Thanks: 6,593
Fixes: 1,485
Registered: ‎11-01-2008

Re: Problem with Global Protect VPN (connection to my workplace)


Moderators Note


Post released from spam filter. 

Customer / Moderator
If it helped click the thumb
If it fixed it click 'This fixed my problem'
andrewgallagher
Hooked
Posts: 7
Thanks: 2
Registered: ‎11-09-2020

Re: Problem with Global Protect VPN (connection to my workplace)

Thanks ChrisWoods,

 

Been PMing @bobpullen to try to resolve my issues. Have tried connecting using a Netgear DM200 and also the standard Plusnet box, still having trouble connecting. I've also tried a different computer from work, same issue.

 

I've requested some more info from my work IT team:

 - Our VPN protocol (I think it;s PAN-OS)

 - To check if my static IP with plusnet is blocked in any way (I would be surprised if this was the case as I can connect to the VPN intermittently, but can't retain a stable connection)

 

I have also asked them to provide a different VPN client. However this is taking some time as I work in a global company with 50k people in the UK alone so this isn't a straightforward process.

 

To be honest I'm getting tired of trying to resolve this. If I wan't tied in to my contract I would have left already as when I connect to my neighbour's Virgin boradband, or my other neighbour's BT broadband both work fine.

 

Regards,

 

Andrew

 -