Traffic Stops Passing over Juniper SSL VPN from Verizon Wireless 4G LTE Client using CradlePoint Router

Posted on 2013-10-04
Medium Priority
Last Modified: 2013-10-27
Any suggestions are greatly appreciated.

My issue is as follows:

My setup:
CradlePoint MBR1400 router firmware v. 4.4.0 hardware v. 2.0. Ethernet connection to Laptop running Windows 7 Enterprise SP1 as user (no admin rights). I have tried two modems: the CradlePoint MC200LE-VZ firmware v. and a Pantech. ISP is Verizon Wireless. I have the Sure Call direct amplifier and I have tried both the SureCall omni & Wilson panel directional antennas. I believe I can pick up signals from two towers about 100 degrees apart. In all antenna/amp setups the signal is strong 4G LTE (RSSI:-42; but SINR fluctuates quite a bit: 1-9). Router is currently in "Force 4G LTE" mode which seems to perform the best. When not connected to the VPN, speedtest.net generally reports 10-15 Mbps up & down w/ 35-40ms ping. The Laptop is connecting to a Juniper Network Connect SSL VPN v.7.3 via Internet Explorer v. 9.0.x.

My symptoms:
VPN connects initially, runs a login script (slower than I would like but it is slow imo even on my previous 100Mbps Fios package). All systems that rely on the VPN work fine for either a few minutes or a few hours. At some point the VPN "stalls," meaning it appears to remain connected according to the icon in the system tray and the web browser but traffic does not pass. (by traffic I mean connections to Network Shares, various databases (over http), MS Lync/Cisco UC, MS Exchange (via MS Outlook) & Internet)

My discussions with CradlePoint & my internal tech support:

According to the VPN tech, the Juniper VPN should support 4G connections starting with v. 7.1. He said NAT'd devices should not be a problem. However, other 4G users have experienced problems, so much so that they are considering banning use of the technology altogether (in other words: I'm on my own to figure this out). CradlePoint support has been a bit all over the place. First they said lower MTU, then they said I must make VPN settings on the CP match the VPN settings on Juniper. That didn't make any sense to the VPN tech because the CP was asking for all sorts of settings I'm told the Juniper SSL VPN doesn't use. I think that setup is for a router-to-router VPN but I'm not really sure--I don't know the settings to try it. Then CP told me to enable static NAT. I told them that option wasn't in my firmware version. So, CP sent me a rolled back firmware. However, the router rejected it as incompatible with my hardware version. I have sent everyone log files for everything and no one has been able to pinpoint the issue. Although, the log files do appear to contain various errors & warnings. I don't really know enough to be able to interpret them. I would post them, but I'm not sure if they contain sensitive information that should not be distributed.

My present workaround:
There seems to be two issues: one, the connection drops; two, the VPN does not recognize the drop and reconnect. I think I am manually fixing the second issue by executing a one-line command (...cmd.exe /c ipconfig /release *9) to force the (virtual?) adapter to release the VPN IP assigned. This prompts Network Connect to ask if I want to reconnect to the VPN and I click yes and it does. So, there does not appear to be an interruption in Internet service. However, if I'm on a VOIP (MS Lync) phone call, I can't make the reconnect happen fast enough for the other party not to hang up thinking the call is dropped (if they wait around the call will usually resume).

Things I've tried
Outdoor antenna & amplifier. When I first tried the directional antenna it worked for two full days with no stalls so I thought it might have just been a signal strength or tower switching issue. Then the next time I tried it, it would not connect to the Internet at all and reported Carrier:Down. I replaced the directional antenna with the omni. I also inserted the amp. But, all that just left me back where I started.

I believe that I have verified that there is no IP change associated with the stall (thinking it might be NAT issue).

On the Router I have tried:
Lowering MTU
Port forwarding & IP protocol filter (according to Juniper VPN guide)
Force LTE mode, Force 3G mode
Disable IPv6
Active/Static DNS (opendns)
Toggle Force DNS through router
IP reservation for laptop
DMZ for laptop
Active Ping failure check mode
Toggle on Demand mode
Toggle aggressive reset mode
Toggle Force NAT mode
Toggle Standard/NAT/IP passthrough mode

Please let me know if I can provide any further information.

Thanks for any suggestions.
Question by:-chuck-
  • 3
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39548716
Have you messed with keep alive values?

Author Comment

ID: 39552554
Thank you for your suggestion. As a user/client and not an admin, I don't have access to the server-side settings. I'm told that these types of settings were checked and the VPN should make reconnects when the dead connection is detected. But, maybe you are right in that the connection is not "dead enough" to try to reconnect.

I contacted the antenna vendor and she advised that my SINR should be above 7. I initially positioned the antennas for best RSSI. I have repositioned them and I'm getting 8-14 SINR and the RSSI has dropped only slightly. It has been working for about 4 hours today. I will research SINR/VPN issues and report back after some more time. (fingers crossed)

Accepted Solution

-chuck- earned 0 total points
ID: 39592199
Think it wound up being just a noise issue. Once the SINR improved the problem went away. Supposedly NAT does not create an issue for a SSL VPN.

Author Closing Comment

ID: 39603617
Seems to be working now based on the suggestion from the antenna vendor to try to improve SINR

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question