Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Issues with IPSEC-VPN client and Verizon VZ4G LTE network

 

 

Introduction

This document explains why IPSEC VPN clients don't work on Verizon 4g network.

 

Core Issue

The Cisco IPSEC VPN client is able to connect to VPN gateways without any issues over the Verizon 4g network. However once connected, the client is not able to pass any traffic at all. The counters on the client indicate that the client is encrypting data however, there are no increments to the decrypt counters. This issue is seen on the entire gamut of windows OSs. One of the deal breakers with the new Verizon 4g network is that the new LG VL600 and Pantech UML290 run a privately routed IP (10.) address that ONLY allows outbound traffic - no inbound traffic can be passed through. This means that if you have a need for remote access to a device, Verizon's new 3G/4G-capable devices will not allow you to access them like you could with a 3G-only modem.

 

Resolution

 

Based on suggestions made by Verizons it seems as though the following things need to be attempted:

1. enable Nat-T. For more information regarding nat-traversal please refer to the following documents:

     a. IPSEC over NAT-T on IOS devices

     b. IPSEC over NAT-T on ASA

2. enable IPSEC-over-TCP. For more information regarding enabling IPSEC over TCP please refer to the following documents:

     a. IPSEC over TCP on IOS devices

     b. Enabling IPSEC over TCP on ASA

3. Use Anyconnect rather than IPSEC

4. The other option is to go with the Sprint 4g network instead which apparently does support remote access to applications.

Version history
Revision #:
2 of 2
Last update:
‎08-28-2017 11:31 PM
Updated by:
 
Labels (1)
Contributors
Comments
New Member

Thanks this resolved my issue by enabling NAT-T for an ASA for users using the Verizon LG VL600 4G usb stick.

This worked for me too. On a PIX with a UML290 aircard over Verizon's network.

New Member

Verizon sipport has an update for the UML290 modem (at least for a Windows 7 device), please see the link that was supplied to me here: http://www.vzam.net/uploadedFiles/UML290%20VPN%20Connection%20Issues%20-%20Read%20Me.zip . Hope this helps.

New Member

Hi,

I also suggest, if available, using "RAS(Modem)" connection method instead of "NDIS" which has solved my problem and had nothing to do with my infrastruture.

Best regards

New Member

i have an LTE modem, it connects on Huawei LTE but can not access any internal resources

New Member

Hello,

 

We just ran into this problem with users on Verizon using the Gobi 4000 (Sierra Wirless MC 7750) and the Cisco VPN.  We could connect to the VPN but couldn't send any traffic or access internal resources.

We enabled NAT-T on the ASA but it still didn't work right away.  We found a post suggesting to update the DNE driver and that fixed the issue for us.  Our Windows 7 laptops are connected and working now.

 

The 32-bit download is here: ftp://files.citrix.com/dneupdate.msi

The 64-bit download is here: ftp://files.citrix.com/dneupdate64.msi

Additional information on this is here: http://www.citrix.com/go/lp/dne.html

 

Credit to scojjac at http://community.spiceworks.com/topic/329360-verizon-lte-cisco-ipsec-vpn-issue

 

Hope this helps,

John

 

New Member

Thank you! Enabling IPSEC over TCP did the trick in my case. Along with making the change on the ASA:

crypto isakmp ipsec-over-tcp port 10000

I also had to set the VPN client to use TCP as well.