cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
40826
Views
15
Helpful
7
Comments
Atri Basu
Cisco Employee
Cisco Employee

 

 

Introduction

This document explains why IPSEC VPN clients don't work on Verizon 4g network.

 

Core Issue

The Cisco IPSEC VPN client is able to connect to VPN gateways without any issues over the Verizon 4g network. However once connected, the client is not able to pass any traffic at all. The counters on the client indicate that the client is encrypting data however, there are no increments to the decrypt counters. This issue is seen on the entire gamut of windows OSs. One of the deal breakers with the new Verizon 4g network is that the new LG VL600 and Pantech UML290 run a privately routed IP (10.) address that ONLY allows outbound traffic - no inbound traffic can be passed through. This means that if you have a need for remote access to a device, Verizon's new 3G/4G-capable devices will not allow you to access them like you could with a 3G-only modem.

 

Resolution

 

Based on suggestions made by Verizons it seems as though the following things need to be attempted:

1. enable Nat-T. For more information regarding nat-traversal please refer to the following documents:

     a. IPSEC over NAT-T on IOS devices

     b. IPSEC over NAT-T on ASA

2. enable IPSEC-over-TCP. For more information regarding enabling IPSEC over TCP please refer to the following documents:

     a. IPSEC over TCP on IOS devices

     b. Enabling IPSEC over TCP on ASA

3. Use Anyconnect rather than IPSEC

4. The other option is to go with the Sprint 4g network instead which apparently does support remote access to applications.

Comments
devin.culp
Level 1
Level 1

Thanks this resolved my issue by enabling NAT-T for an ASA for users using the Verizon LG VL600 4G usb stick.

This worked for me too. On a PIX with a UML290 aircard over Verizon's network.

jclemence
Level 1
Level 1

Verizon sipport has an update for the UML290 modem (at least for a Windows 7 device), please see the link that was supplied to me here: http://www.vzam.net/uploadedFiles/UML290%20VPN%20Connection%20Issues%20-%20Read%20Me.zip . Hope this helps.

nuno.lourenco
Community Member

Hi,

I also suggest, if available, using "RAS(Modem)" connection method instead of "NDIS" which has solved my problem and had nothing to do with my infrastruture.

Best regards

ali588701
Community Member

i have an LTE modem, it connects on Huawei LTE but can not access any internal resources

jhowison
Level 1
Level 1

Hello,

 

We just ran into this problem with users on Verizon using the Gobi 4000 (Sierra Wirless MC 7750) and the Cisco VPN.  We could connect to the VPN but couldn't send any traffic or access internal resources.

We enabled NAT-T on the ASA but it still didn't work right away.  We found a post suggesting to update the DNE driver and that fixed the issue for us.  Our Windows 7 laptops are connected and working now.

 

The 32-bit download is here: ftp://files.citrix.com/dneupdate.msi

The 64-bit download is here: ftp://files.citrix.com/dneupdate64.msi

Additional information on this is here: http://www.citrix.com/go/lp/dne.html

 

Credit to scojjac at http://community.spiceworks.com/topic/329360-verizon-lte-cisco-ipsec-vpn-issue

 

Hope this helps,

John

 

j.bloodsworth
Community Member

Thank you! Enabling IPSEC over TCP did the trick in my case. Along with making the change on the ASA:

crypto isakmp ipsec-over-tcp port 10000

I also had to set the VPN client to use TCP as well.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: