Need help with Cisco hardware-based VPN on Amplifi network


  • My employer issued me a locked-down Cisco C1111 router to create a site-to-site VPN. It's normally "plug and play", but our network support team says that some home routers give them trouble. The Amplifi HD is apparently one of them.

    Our network support team had me connect the Cisco directly to my cable modem. It worked perfectly there, but of course left me with no home internet other than the work VPN. But at that point, they pretty much said it's my problem, their equipment worked fine.

    The Cisco router is configured to make outbound connections on ports 500 and 4500. In my case, it can't establish those connections. I turned off Remote Management on the Amplifi (to disable its own VPN), but that made no difference.

    I also opened a case with the Amplifi tech support team. Their first suggestion was to put the router into bridge mode, just for troubleshooting. That also did not work.

    Unfortunately, each email and response from their tech support takes quite a bit of time, and it seems they don't half-read what I send them. So I'm trying here. Networking is definitely not my forté, so any help would be appreciated.

    Thanks.


  • @Jack-Rogers I don't know the answer to your problem, but I must say that I think the AmpliFi support staff have genuinely tried to understand users' issues and resolve them when they can.

    When the whole purpose of a device is to enhance the security and privacy of a connection between two remote clusters of devices, I think it's understandable that the hardware-VPN router may make it difficult to provide internet access to devices that are not purposefully granted access to the remote server—not that it cannot be done, but that the special case instructions to permit it may require special configurations of both the home router AND the VPN router.

    Sorry I cannot help, but I just wanted to put in a plug for the guys from AmpliFi who do try to help.


  • @jsrnephdoc
    My purpose wasn't to vent on their tech support. I could document why I'm not happy with it, but that would be completely off topic. I just need a solution.

    And I don't want to get philosophical about how complicated this is. This locked-down Cisco router is Plug & Play on my co-workers' home networks, but they don't have Amplifi devices.

    I'm not so sure about my earlier statement that the Amplifi router seems to be blocking outbound port 500 and 4500 traffic. I just configured a web server to listen on those ports and then hit it from my browser. I was able to see the expected web pages. So the Amplifi is NOT blocking outbound traffic TO target hosts on ports 500 and 4500. I'm still stuck, but now I don't have a theory to test. 😞

    Jack


  • STILL no reply from AmpliFi support.

    I tested further today, and the Cisco router works fine when I bypass my network and connected it (by itself) to the cable modem. But then I have no home network.

    Jack


  • I had this same issue with a Cisco OEAP device. If I have Hardware NAT enabled on my AmpliFi HD router it will never connect to the headend devices at my office. Once I shut off the Hardware NAT settings it works fine. I still have yet to determine why it behaves that way.


  • @Damon-Starkey - Thanks for that tip. I already had hardware NAT turned off, because AmpliFi says it's only useful for gigabit connections. But again, I appreciate the tip.

    Just for grins, I went ahead and enabled it. I'll give that a few minutes, and if nothing happens, I'll disable it again.

    Jack



  • @Derek-Saville -
    Static IP - from day 1.
    Port forwarding - did that a few days ago, just because I couldn't think of anything else to try. I didn't mention it because it's really not necessary. Connections are outbound.

    Jack


  • Hi @Jack-Rogers - a lot of the discussion regarding WiFi calling issues has involved ports 500 & 4500, that’s why I asked

    I doubt turning off the IGMP proxy in the web UI will make a difference, but doesn’t hurt to try

    Or you can install the latest Beta and try turning off everything?


  • @Derek-Saville -
    I've opened another support request to simply ask if IPSEC passthrough is supported. Based on forum threads I've found, I don't believe it is.

    If not, I'll consider the beta firmware. Maybe I can find some documentation for it before I install it.

    And yes, I saw threads about issues with WiFi calling. Strangely enough, I've had no issues with that.

    Thanks.
    Jack


  • Update:
    I got a response from AmpliFi tech support, saying that IPSEC passthrough is NOT supported.

    Meanwhile, my original support request got escalated to the next level. So far, the guy has been responding faster, and he seems to be actually reading my replies. And he's asking questions that are actually relevant. I'm hopeful.

    Jack


  • Looks like Level 2 kinda misunderstood my issue, but it got escalated to Level 3 support. Still no progress, still having to clarify and re-state what the issue is -- but still hopeful.

    Jack


  • Another update.
    I took my Cisco router to an office whose network I support, and plugged it in there. It worked immediately, with absolutely no need to change anything. This particular network was managed my Ubiquiti's own UniFi Dream Machine ("UDM").

    L3 support thinks it may be due to the AmpliFi HD's lack of support for IPSEC passthrough. This is not conclusive, but it may be "the end" as far as they're concerned (we'll see).

    Further, I confirmed with my company's Telecom team that my Cisco router has been deployed with the identical configuration to 650 users across the country. I am the only one reporting this issue.

    If L3 support is not willing/able to facilitate the necessary changes, they may decide we're done. If that happens, I'll have to replace my AmpliFi HD (at my expense) with something else.


  • Today's update:
    Ubuiquiti's L3 support finally replied, saying she has "forwarded the issue and support log to the developers for further assistance" and is waiting for an update.

    I suspect the delay in response may have had something to do with the recent breach that compromised their user accounts. Here's one article, from ZDNet:
    Ubiquiti tells customers to change passwords after security breach
    That probably has everybody in hair-on-fire mode.

    Jack


  • Looks like we're at the end of the road. I have not heard anything for quite a while, and recently I got an email saying they were waiting on information from me. So I replied with "What info do you need?" They didn't respond.

    Not the best customer support experience I've ever had...

    I suppose I'll upgrade to a Ubiquiti Dream Machine, since I was able to verify that my Cisco router works with the UDM. Anybody need a slightly-used Amplifi HD at a good price?

    Jack


Log in to reply