Cisco VPN Client Release 5.0.06, Windows 7 3G not supported | Is there a workaround?

Unanswered Question
May 13th, 2010

I can successfully connect, but cannot ping devices over the Cisco VPN client using 3g on Windows 7. The Cisco VPN client works fine over ethernet or wifi, just not 3G/EDGE/HSDPA. I have tried connecting via AT&T and T-MOBILE.

The release notes for Cisco VPN Client 5.0.06 state: The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards).

Is there a workaround in order to reach devices over VPN using 3g on windows 7?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Dunkku999 Tue, 07/20/2010 - 00:02

Hello

When you announce release where that is going to work?

hlevel71 Tue, 08/03/2010 - 15:00

Yes, Cisco moderators, any news on when a new version that supports Win7/WWAN will be released?

hobbe Mon, 05/17/2010 - 06:13

Maybe not what you want but atleast it is a workaround, I use 3G but I do not want to put it directly into my computer since the firewall issues.

so I use a 3d party device that both works as a Firewall, switch, accesspoint and a 3gmodem.

works like a charm.

Globalsurfer III  or globesurfer III I think its called.

works quite nice, I can install a ASA firewall to it if I want to.

it might not be the best answer to your question but atleast it is a workaround since the VPN klient does not support 3g modems directly.

Jeff.Hofmann Tue, 05/18/2010 - 06:29

That's good to know that the Option Globalsurfer III works, and it's the same vendor for my 3g card (GlobeTrotter GTM382W MiniPCI-Express) built into my Nokia Booklet.

However, the reason I bought the Netbook was so I could travel light and have connectivity when no wifi/ethernet internet access exists, which is sometimes the case when working with mobile carriers and thier partners.

Jeff.Hofmann Tue, 05/18/2010 - 06:37

I tried the ShrewSoft VPN Client, which supports .pcf imports, but it doesn't work with my 3g card either. The good thing about ShrewSoft is they will work with me if I submit the bug report with all the info they request, i.e. both sides hardware and software versions, wireshark logs.

Still working on getting wireshark to find the 3g card when it's connected, currently it just says microsoft interface and no data shows in the logs.  

sjbdallas Tue, 05/18/2010 - 07:19

It seems odd to me that it wouldn't be supported just because it's a WWAN card.  An internet connection is an internet connection right?  Maybe the issue is the compression software some of the WWAN OS clients use?  I recently found a user who couldn't connect to anything after VPNing in and we disabled the compression software in the ATT client's software.

indiginuz Mon, 05/24/2010 - 07:45

Hey guys,

I had a similar issue with a Windows 7 client.

Our company was using Sprint Aircards. When I moved up one of my users to Windows 7 no aircard whether it be from Sprint or TMobile worked. I got on the phone with Microsoft and we figured out how to make it work with the Sprint aircard.

The solution was to edit your host file. All you need to do is enter the internal IP address of your Exchange server along with the Exchange server name, as well as the same IP address with the FQN name.

Exampe:

10.1.20.50     exchange01

10.1.20.50     exchange01.companyname.com

Once we did this we were able to use Cisco VPN to connect to our Outlook and network shares.

My reason for finding this article is that we may be switching over to TMobile aircards and even with this fix that I posted, we cannot connect whatsoever. We can use any LAN, Wi-Fi or even a Sprint aircard and it will work without any problems.

Thanks.

shawn12341234 Thu, 08/12/2010 - 21:55

I have noticed that there are a lot of people that are having problem using their VPN connection with Windows 7. I recently investigated this problem and figured out the reason why some people can connect to the same VPN network with their WWAN/Wireless Modem/Mobile Broadband/Cellular data card/etc and other people cannot on Windows 7. For example, a common scenario is that the VPN connection was working just perfectly fine and then the user upgraded to Windows 7 and then their VPN connection stopped working. Another one is that using one WWAN device they can connect to their VPN with one MB device, but not with another in the exact same environment.

Here is a quick write up I put to together that explains the issue and lays the groundwork for a pretty easy workaround that will get it up and running. Their will be some limitations, but at least you will be able to make a VPN connection with your cellular card on Windows 7. I hope this helps you...let me know if you have any questions.

http://www.customsoftwareframeworks.com/blog/fix-vpn-problems-cellular-win7

Thanks,

Shawn

friver001 Wed, 02/23/2011 - 08:15

Thank you Shawn! Your explanation was very clear and complete. I follow the steps to create a DUN to AT&T and now my VPN CLient is working perfectly well over mobile broadband.

Namit Agarwal Thu, 08/26/2010 - 19:14

To make the VPN client work with the Broadband card the workaround is to setup the Broadband Card internet connection as a dial-up connection. The reason this works is, in this case the  WWAN card   is used as a Modem (thereby bypassing the limitation of NDIS drivers) to connect to the internet whereas the internal card is used as a NIC which the VPN Client is not able to recognize.

The explanation behind this issue is

  • The traffic accepted by the NIC is controlled by an NDIS Miniport Driver.
  • The WWAN type bypasses NDIS IM drivers (Network Driver Interface Specification Intermediate driver), so the Client NDIS IM driver fails to receive packets that go in and out WWAN devices. The third party tool that acts as the NDIS IM driver is DNE by Citrix.
  • The current release of Citrix DNE is an NDIS intermediate driver that is based on NDIS 5.0. However, the native Windows 7 Mobile Broadband driver(WWAN Card)is based on NDIS 6.2. Earlier intermediate drivers that are based on NDIS 4.x or on NDIS 5.x have a known compatibility issue with the native Windows 7 Mobile Broadband driver.
  • The solution is to update your NDIS intermediate driver to NDIS 6.x-based Light Weight Filter (LWF drivers are a combination of NDIS intermediate drivers and a miniport driver) but that also has resulted in a BSOD.
  • So the current workaround is use it as a dial up connection
shawn12341234 Thu, 08/26/2010 - 21:38

Hi Namit,

I was wondering if you had a chance to look at the post found here:

http://www.customsoftwareframeworks.com/blog/fix-vpn-problems-cellular-win7

I recently had to debug this issue for a customer. Since, I could not find any information on the internet that completely explained the technical details of the problem I post that article so other people with problem could resolve their issue. There are a few different ways that you can fix this problem if you must use the Cisco IPSEC client software and drivers. I wanted to clarify a couple points you made in your post:

To make the VPN client work with the Broadband card the workaround is to setup the Broadband Card internet connection as a dial-up connection. The reason this works is, in this case the  WWAN card   is used as a Modem (thereby bypassing the limitation of NDIS drivers) to connect to the internet whereas the internal card is used as a NIC which the VPN Client is not able to recognize.

The reason that the Cisco driver does not work for a mobile broadband (MB) devices is because Windows 7 introduced a new NDIS driver model when Windows 7 shipped. In order for an IHV to make their cellular device appear as a MB interface they must write a new driver using the MB specification for cellular devices. This driver is an NDIS driver, but only NDIS 6.20 supports this driver model. The specification for MB NDIS drivers basically defines at set of OIDs that this miniport driver must handle so that the OS interface with the device in a standard way. Before MB there was not a standard way to control a cellular interface. Typically, IHVs would install serial, Ethernet, or 802.11 drivers and proxy cellular data those interfaces. This had to be done in a non-standard way because the OS had no native support for WWAN devices before Window 7. With the new driver came a new media type in the NDIS specification. NDIS IM drivers are drivers that effectively are inserted between the network device and the protocol so that all network traffic must travel through the IM driver that is bound to the network adapter. So, if you wanted to encrypt all the data going out through an interface an intermediate driver (IM) is the type of driver that you would want. The problem is that if your IM driver is not bound to the network interface then it will not see any of the network traffic that is sent/receive by that adapter. This is the issue with the Cisco IM driver...it cannot bind to the media type that a MB driver exposes at its upper layer. Therefore, it does not see any of the traffic that is sent/received by the MB device.

An IM driver is a combination of a protocol and miniport driver...the LWF driver is a specialized driver that sole purpose is to shape network traffic in the most efficient way possible...You cannot update a IM driver to be a LWF driver...you have to write new driver. You could reuse the code in the IM driver for implementing the IPSEC protocol, but you have to do this in a new driver.

Most cellular devices that are based on Qualcomm technology (all of them) will install a virtual serial driver and a modem driver so that AT commands can be used to control the cellular device. The Dialup networking workaround is using this interface to make the connection using the same technology that dial-analog modem use for connecting and the use a different networking stack for sending and receiving data that old IM drivers can bind to and since they can bind to that stack they can shape traffic on that stack so you can make a VPN connection. However, you will not see any return on the investment that Microsoft made in Windows 7 for supporting WWAN devices, which was significant

Thanks


darren.yong Sat, 12/04/2010 - 12:22

has cisco acknowledge this problem and are they gonna do anything about it?

shawn12341234 Sat, 12/04/2010 - 12:45

There are a couple ways but they are not ideal, the link above covers them...but it boils down you have to put the VPN driver in a stack that is not the MBN stack, e.g., RAS or install the NDIS miniport driver that is for Windows Vista instead of the MB...there are some clients that will allow you to interface to the cisco box with their client, but they won't support all the modes that are supported but the most popular ones are...PM me if you want to know about some options. I think that from what I can see that the focus moving forward is a SSL solution where the encryption is done is user space.

hlevel71 Mon, 12/06/2010 - 11:02

The AnyConnect client will work over wireless cards.  Its the simplest solution I've found.

shawn12341234 Thu, 12/09/2010 - 21:25

The problem arises when you are using the native IPSEC NDIS driver to tunnel packets. SSL solutions will work the packets are modified above the network stack.

Thanks,

Shawn

apothula Mon, 12/06/2010 - 20:26

You can try using TCP transport for the VPN client connections.

I have seen cases in which this works.

On the ASA use the command,

crypto isakmp ipsec-over-tcp "port" ; ex crypto isakmp ipsec-over-tcp 10000

and on the VPN client for the connection entry you are trying, right click, properties, transport , check IPSec over TCP and put in the port number given in the command above.


Let me know if this works.


This is not a solution, it is a work around that has worked for me in a few cases.


Cheers,

Nash,

darren.yong Mon, 12/13/2010 - 23:18

Hi Avinash,

Would configuring the above cause too much overhead on the appliance?

Did you face the same situation, where you've configured ipsec over tcp?

Thanks.

schmidtiii_novice Thu, 02/24/2011 - 00:14

Hello all,

my solution for this problem is I update the DNE software component of the vpn client after I installed the vpn client on Windows 7. Citrix provide an update on its website. I have this tested with Windows 7 32/62bit and it works.
Attention! I don't know is this a supported way from Cisco!

best regards

schmidtiii_novice

roger.aas@ementor.no Mon, 05/09/2011 - 00:41

Hi.

It was nice to find this info. I had the same problem, and used too much time changing the router config before realising the problem was on my end.

I can in addition give another "workaround" to the problem: Using a virtual machine on the host computer that has the WWAN connection will also work because the virtual guest will not directly use the WWAN interface.

Roger/Atea

philippe.ponsot Fri, 10/28/2011 - 07:17

Still doesn't work for me after installing dneupdate64.msi. Is there after installation something to do to make it works ?

Philippe

kamer.akin Sat, 10/29/2011 - 02:18

No i didnt even restart the notebook. ?  What is the 3G chipset?  I made it worked with Sony Z series and Toshiba R700

DeeBeeArgh Mon, 03/19/2012 - 06:46

Kamer's fix worked for me using Orange/T-Mobile in the UK

Huge thank you - it was an issue for my boss who is now happy

ppokorny25 Mon, 03/19/2012 - 08:01

Worked for me too.

TO2 CZ/Win7 64bit

Before applying I've connected (everything looked fine), but no traffic to the network.

After applying everything works well.

Huge thanks.

devin.weber@mer... Tue, 07/02/2013 - 14:22

Kamer's resolution resolved my issues running Windows 7 64-bit, Cisco VPN Client version 5.0.07.0440 with a US Cellular Huawei E397Bu-502.  Same issue as everyone else, VPN would connect but could not get traffic to flow.  Once I applied the "fix" & restarted the workstation, everything worked as expected.  Thank You!!

alvanlee78 Sat, 07/06/2013 - 23:24

Hi Devin,

Mine seem to have the exact situation you are having now. There is running on Win 7 64-bit, using Cisco VPN Client version 5.0.07.0440 with in-built 3G card (sorry i dont have the exact model number now).

I thought I have fixed it by performing the exact "fix" using 1) winfix, followed by DNEupdate64 and finally installing Cisco VPN client. I can ping/access the remote destination without any issues.

Finally, I did a clone (ghost) image and started to deploy the images to other same laptops.... it didnt work again....

arrrgg.....

Anyone ... any idea??

APatotski Sat, 04/27/2013 - 13:17

I have tried to use Cisco VPN Client with WIndows 8 (64 bit) and get the problem with 3G modem (HUAWEI E1550). The installation of DNE update lead to other problem - windows is getting a blue screen (BSOD) when the traffic is transmited over 3G modem. Changing the driver version was not solved the problem. Ocationaly I have tried to replace Windows 7 driver of the modem by the Windows Vista driver and the problem is resolved !!!

With Windows Vista driver the 3G connection is not longer looks like a broad band connection - now it is looks like Ethernet connection. So the solution is to use  DNE update and Windows Vista driver for 3G.

Actions

Login or Register to take actions

This Discussion

Posted May 13, 2010 at 7:20 AM
Stats:
Replies:31 Avg. Rating:5
Views:72864 Votes:0
Shares:0
Tags: vpn_client
+

Related Content

Discussions Leaderboard