Unable to connect to my work VPN
I'm not sure if the issue I'm experiencing is due to my company's own VPN server/software, my own home PC or my Ampifi HD mesh router.
Basically I have installed the Global Protect VPN software (required to connect to my employers VPN) on my home PC and everything works as expected but only if I use the external TP-Link USB Wireless adapter on my PC.
If I try and use a direct Ethernet cable from my PC to the Amplifi HD mesh router, then I get an internet connection as expected but as soon as I try and connect to my VPN, the VPN software will connect for 30secs disconnect and then tries to re-connect which it does for a further 30secs and then disconnects, re-tries and continues in this loop until I manually stop the connection via the software.
Whilst the VPN is trying to connect I lose all internet access on my PC.
Now like I say, I'm not sure where the issue lies, hence why I'm raising the issue here in case I need to configure something on the Ampifi HD mesh router to allow Ethernet connections for VPN access. (I think this is unlikely)
I have also raised the same question on the VPN providers forums as well.
I can't think what would cause the VPN connection not to stay connected by using a different network connection, when that network connection has internet access prior to invoking the VPN connection.
I got a reply back from the post I put on the VPN providers forum after posting a log file from the VPN software.
The reply says:
so here are the disconnect reasons...
(T29364)Info (1249): 11/18/20 16:44:19:928 --Too many outstanding keepalive and no response from GP (T29364)Info (1249): 11/18/20 16:45:16:199 --Too many outstanding keepalive and no response from GP (T29364)Info (1249): 11/18/20 16:46:12:262 --Too many outstanding keepalive and no response from GP
but we see no reason for this so must be the router connection.
It could be that after the initial ssl negotiation the tunnel used udp on port 4501. perhaps the amplifi lan does not know what to do with this... hence the keepalives are not getting back to you.
ask your co if they can disable ipsec for testing...
my next test would be to packet capture on both wifi and lan to see if any difference in tunnel traffic.
also... if you have access to the amplifi firewall (never used one) then try blocking outgoing udp 4501. this will then force the tunnel to use ssl..
Would the Amplifi HD router deal with UDP port 4501 connections differently depending on how I was connecting to the router, i.e. connecting via WiFi versus Ethernet cable?
I've had another reply from a Amplifi HD users using the same VPN software as me on the VPN providers forum to say that they have experienced the same problem as me.
The reply says:
I am experiencing the exact same issue, and I also have the Amplifi HD mesh router. Seems like more than a coincidence...
Did you happen to configure any Amplifi options via the web interface (as opposed to the mobile app)? I enabled the DNS Ad Blocker from there a while ago but didn't think to look there since Wi-Fi worked just fine (so long as I disabled the Ethernet interface).
So... I just now unchecked the DNS Ad Blocker setting and retried everything, and it looks like my Ethernet works again!
I have checked my settings and the DNS Ad Blocker is unticked (disabled).
I have tried enabling/disabling that settings but it makes no difference so I have left is disabled.
I am running the latest BETA firmware version 3.4.3, I have asked the question to the user as to what version of the firmware they are running, and am waiting a response. Will post back here when I know.
I the mean time I have collected some support logs to see if your support team can see any issue on the Amplifi HD as to why the VPN works on WiFi but not Ethernet cable.
Further replies on the VPN providers forum post hints at the DNS Ad Blocker not being the issue.
The reply says:
I guess I spoke to soon... after about 30-45 mins, I was disconnected and could not reconnect via Ethernet. Before I changed the Ad Blocker setting, GP would actually say I was connected yet I couldn't access ANY sites at all, similar to you - and I would have to literally disable the Ethernet adapter for GP to work via Wi-Fi... This last time (after disabling the ad blocker), I didn't need to disable the Ethernet adapter - just connected to Wi-Fi and refreshed my GP connection.
I am on 3.4.3 as well - but not beta... I tried the DNS cache bypass too, and it didn't fix it either. I may try the NAT setting next.
Update from me:
My setup is a Virgin Modem (in modem mode) connected to Amplifi HD router (in router DHCP mode) to the WAN port.
For testing purposes and to rule out the Amplifi HD I have disconnected my PC from the Ampifi HD and plugged the Ethernet cable directly into the Virgin Modem (in router DHCP mode).
I have left everything else the same, the only difference is the PC is connected directly to the modem and the Amplifi HD is not being used at all.
In this configuration the VPN sucessfully connects and stays connected and I still have internet access on my PC.
So this test points to the Amplifi HD as being the issue, because everything works as expected when its not being used.
Amplifi support have been in contact with me since I sent them the logs from my Amplifi HD.
They have asked me to disabled the Hardware NAT setting and to test again to see if that has any difference.
I can confirm that with the Hardware NAT option disabled I can now connect to my work VPN using GlobalProtect and the connection still allows me to use my internet connection on my local PC.
It seems to be the Hardware NAT setting that is causing the issue when using a wired connection. I noticed next to the Hardware NAT setting on the UI screen that the description says "Accelerate throughput for wired stations".
I guess that explains why it worked when connecting to the Amplifi HD using wireless as that setting doesn't apply to wireless clients.
I'm glad that we have managed to pinpoint the setting causing the problem, but I'm now concerned with this setting now disabled I won't be getting maximum throughput on my wired clients.
I can remember and have seen a lot of posts / articles that recommend having this setting enabled.
I am not sure if disabling this setting will have any negative effect or if its an issue with the Hardware NAT that needs to be fixed so that people like myself that had that setting enabled can use their VPNs?