cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
85595
Views
10
Helpful
32
Replies

Cisco VPN Client Release 5.0.06, Windows 7 3G not supported | Is there a workaround?

Jeff.Hofmann
Level 1
Level 1

I can successfully connect, but cannot ping devices over the Cisco VPN client using 3g on Windows 7. The Cisco VPN client works fine over ethernet or wifi, just not 3G/EDGE/HSDPA. I have tried connecting via AT&T and T-MOBILE.

The release notes for Cisco VPN Client 5.0.06 state: The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards).

Is there a workaround in order to reach devices over VPN using 3g on windows 7?

32 Replies 32

Jennifer Halim
Cisco Employee
Cisco Employee

No, unfortunately it is not supported yet.

Even the latest version of VPN Client 5.0.07 does not support wireless card yet. Here is the release notes for your reference:

http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client5007/release/notes/vpnclient5007.html#wp101224

Hello

When you announce release where that is going to work?

Yes, Cisco moderators, any news on when a new version that supports Win7/WWAN will be released?

hobbe
Level 7
Level 7

Maybe not what you want but atleast it is a workaround, I use 3G but I do not want to put it directly into my computer since the firewall issues.

so I use a 3d party device that both works as a Firewall, switch, accesspoint and a 3gmodem.

works like a charm.

Globalsurfer III  or globesurfer III I think its called.

works quite nice, I can install a ASA firewall to it if I want to.

it might not be the best answer to your question but atleast it is a workaround since the VPN klient does not support 3g modems directly.

That's good to know that the Option Globalsurfer III works, and it's the same vendor for my 3g card (GlobeTrotter GTM382W MiniPCI-Express) built into my Nokia Booklet.

However, the reason I bought the Netbook was so I could travel light and have connectivity when no wifi/ethernet internet access exists, which is sometimes the case when working with mobile carriers and thier partners.

Jeff.Hofmann
Level 1
Level 1

I tried the ShrewSoft VPN Client, which supports .pcf imports, but it doesn't work with my 3g card either. The good thing about ShrewSoft is they will work with me if I submit the bug report with all the info they request, i.e. both sides hardware and software versions, wireshark logs.

Still working on getting wireshark to find the 3g card when it's connected, currently it just says microsoft interface and no data shows in the logs.  

sjbdallas
Level 1
Level 1

It seems odd to me that it wouldn't be supported just because it's a WWAN card.  An internet connection is an internet connection right?  Maybe the issue is the compression software some of the WWAN OS clients use?  I recently found a user who couldn't connect to anything after VPNing in and we disabled the compression software in the ATT client's software.

indiginuz
Level 1
Level 1

Hey guys,

I had a similar issue with a Windows 7 client.

Our company was using Sprint Aircards. When I moved up one of my users to Windows 7 no aircard whether it be from Sprint or TMobile worked. I got on the phone with Microsoft and we figured out how to make it work with the Sprint aircard.

The solution was to edit your host file. All you need to do is enter the internal IP address of your Exchange server along with the Exchange server name, as well as the same IP address with the FQN name.

Exampe:

10.1.20.50     exchange01

10.1.20.50     exchange01.companyname.com

Once we did this we were able to use Cisco VPN to connect to our Outlook and network shares.

My reason for finding this article is that we may be switching over to TMobile aircards and even with this fix that I posted, we cannot connect whatsoever. We can use any LAN, Wi-Fi or even a Sprint aircard and it will work without any problems.

Thanks.

shawn12341234
Level 1
Level 1

I have noticed that there are a lot of people that are having problem using their VPN connection with Windows 7. I recently investigated this problem and figured out the reason why some people can connect to the same VPN network with their WWAN/Wireless Modem/Mobile Broadband/Cellular data card/etc and other people cannot on Windows 7. For example, a common scenario is that the VPN connection was working just perfectly fine and then the user upgraded to Windows 7 and then their VPN connection stopped working. Another one is that using one WWAN device they can connect to their VPN with one MB device, but not with another in the exact same environment.

Here is a quick write up I put to together that explains the issue and lays the groundwork for a pretty easy workaround that will get it up and running. Their will be some limitations, but at least you will be able to make a VPN connection with your cellular card on Windows 7. I hope this helps you...let me know if you have any questions.

http://www.customsoftwareframeworks.com/blog/fix-vpn-problems-cellular-win7

Thanks,

Shawn

Thank you Shawn! Your explanation was very clear and complete. I follow the steps to create a DUN to AT&T and now my VPN CLient is working perfectly well over mobile broadband.

Namit Agarwal
Cisco Employee
Cisco Employee

To make the VPN client work with the Broadband card the workaround is to setup the Broadband Card internet connection as a dial-up connection. The reason this works is, in this case the  WWAN card   is used as a Modem (thereby bypassing the limitation of NDIS drivers) to connect to the internet whereas the internal card is used as a NIC which the VPN Client is not able to recognize.

The explanation behind this issue is

  • The traffic accepted by the NIC is controlled by an NDIS Miniport Driver.
  • The WWAN type bypasses NDIS IM drivers (Network Driver Interface Specification Intermediate driver), so the Client NDIS IM driver fails to receive packets that go in and out WWAN devices. The third party tool that acts as the NDIS IM driver is DNE by Citrix.
  • The current release of Citrix DNE is an NDIS intermediate driver that is based on NDIS 5.0. However, the native Windows 7 Mobile Broadband driver(WWAN Card)is based on NDIS 6.2. Earlier intermediate drivers that are based on NDIS 4.x or on NDIS 5.x have a known compatibility issue with the native Windows 7 Mobile Broadband driver.
  • The solution is to update your NDIS intermediate driver to NDIS 6.x-based Light Weight Filter (LWF drivers are a combination of NDIS intermediate drivers and a miniport driver) but that also has resulted in a BSOD.
  • So the current workaround is use it as a dial up connection

Hi Namit,

I was wondering if you had a chance to look at the post found here:

http://www.customsoftwareframeworks.com/blog/fix-vpn-problems-cellular-win7

I recently had to debug this issue for a customer. Since, I could not find any information on the internet that completely explained the technical details of the problem I post that article so other people with problem could resolve their issue. There are a few different ways that you can fix this problem if you must use the Cisco IPSEC client software and drivers. I wanted to clarify a couple points you made in your post:

To make the VPN client work with the Broadband card the workaround is to setup the Broadband Card internet connection as a dial-up connection. The reason this works is, in this case the  WWAN card   is used as a Modem (thereby bypassing the limitation of NDIS drivers) to connect to the internet whereas the internal card is used as a NIC which the VPN Client is not able to recognize.

The reason that the Cisco driver does not work for a mobile broadband (MB) devices is because Windows 7 introduced a new NDIS driver model when Windows 7 shipped. In order for an IHV to make their cellular device appear as a MB interface they must write a new driver using the MB specification for cellular devices. This driver is an NDIS driver, but only NDIS 6.20 supports this driver model. The specification for MB NDIS drivers basically defines at set of OIDs that this miniport driver must handle so that the OS interface with the device in a standard way. Before MB there was not a standard way to control a cellular interface. Typically, IHVs would install serial, Ethernet, or 802.11 drivers and proxy cellular data those interfaces. This had to be done in a non-standard way because the OS had no native support for WWAN devices before Window 7. With the new driver came a new media type in the NDIS specification. NDIS IM drivers are drivers that effectively are inserted between the network device and the protocol so that all network traffic must travel through the IM driver that is bound to the network adapter. So, if you wanted to encrypt all the data going out through an interface an intermediate driver (IM) is the type of driver that you would want. The problem is that if your IM driver is not bound to the network interface then it will not see any of the network traffic that is sent/receive by that adapter. This is the issue with the Cisco IM driver...it cannot bind to the media type that a MB driver exposes at its upper layer. Therefore, it does not see any of the traffic that is sent/received by the MB device.

An IM driver is a combination of a protocol and miniport driver...the LWF driver is a specialized driver that sole purpose is to shape network traffic in the most efficient way possible...You cannot update a IM driver to be a LWF driver...you have to write new driver. You could reuse the code in the IM driver for implementing the IPSEC protocol, but you have to do this in a new driver.

Most cellular devices that are based on Qualcomm technology (all of them) will install a virtual serial driver and a modem driver so that AT commands can be used to control the cellular device. The Dialup networking workaround is using this interface to make the connection using the same technology that dial-analog modem use for connecting and the use a different networking stack for sending and receiving data that old IM drivers can bind to and since they can bind to that stack they can shape traffic on that stack so you can make a VPN connection. However, you will not see any return on the investment that Microsoft made in Windows 7 for supporting WWAN devices, which was significant

Thanks


dy2
Level 1
Level 1

has cisco acknowledge this problem and are they gonna do anything about it?

There are a couple ways but they are not ideal, the link above covers them...but it boils down you have to put the VPN driver in a stack that is not the MBN stack, e.g., RAS or install the NDIS miniport driver that is for Windows Vista instead of the MB...there are some clients that will allow you to interface to the cisco box with their client, but they won't support all the modes that are supported but the most popular ones are...PM me if you want to know about some options. I think that from what I can see that the focus moving forward is a SSL solution where the encryption is done is user space.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: