Re: VPN with mobile air card

starrcomm · ‎03-17-2011

I'm getting the following error message when users try to connect to vpn via their mobile air cards:

1. The VPN Client is unable to establish a connection

they click okay and are presented with a second error:

2. AnyConnect was not able to establish a connection to the specificed secure gateway

If the user disconnects from the mobile broadband service and connects to a typical wireless (or wired) access point, the vpn session is established without any errors.

Anyone have any helpful ideas?

Michael Schueler · ‎03-28-2011

Hello Michael,

This sounds a bit, as if the client machine does not have connectivity to the ASA via the mobile air card connection. Have you verified, that the client can still ping the ASA while connected via the mobile air card? Can you also telnet to the ASA on port 443 in this case (i.e. "telnet 443")?

What do you see on the ASA after enabling "debug webvpn svc" (as of ASA 8.4: "debug webvpn anyconnect") while attempting to establish a connection while connected via the the mobile air card? What errors do you see in the Windows Event Log at the same time?

Also note, that WWAN cards on Windows 7 are supported only in AnyConnect versions 2.5 and later.

Regards,

Michael

starrcomm · ‎03-28-2011

Finally received a reply from Cisco tech support:

"It seems the Anyconnect client cannot access the data card interface on the PC. On previous cases with other data cards disabling the acceleration option on the data card settings solves this issue. If you already disabled the acceleration option on the Sprint data card and the issue remains the same, would it be possible for you to try using the Anyconnect over a wired VPN connection from the same PC? This is not to be a final solution but will help us narrow down the issue to the interaction between the Anyconnect client and the Sprint data card.

Also please check to see if there is any software update for your data card available.

I also came across the following bug for Anyconnect related to USB data cards:
CSCtg69281

Allow administrator to configure local proxy support
Symptom:
AnyConnect fails to establish a tunnel when using a USB broadband datacard.

Conditions:
Acceleration is enabled in the datacard software and appears as a local transparent proxy on the system. When AnyConnect tries to bind to the physical adapter it gets the loopback address because the datacard software is intercepting the traffic.

Workaround:
Disable acceleration in the datacard software or downgrade to AnyConnect 2.3.

Please make sure that acceleration is disabled on the Sprint card and if possible try the connection over a wired internet connection."

This worked for me, Sprint refers to this "feature" as optimization on version 2.50.0094.0. Nevertheless, once uninstalled, users can resume using their aricards.

dino.mumfrey · ‎05-23-2011

I have the same problem, but can't find where to turn off the optimization... In the User guide it says to turn off acceleration for Sprint cards in the Acceleration tab in the settings, but I do not get an Acceleration tab... How did you do it, Michael?

Any help would be much appreciated.

starrcomm · ‎05-23-2011

I found the setting on the "hardware" tab and disabled it from there.

dino.mumfrey · ‎05-23-2011

I see nothing on the Hardware tab for that, Michael, any other hints you an give me I have a TAC case open and a call into Sprint, but they say if there is no Acceleration tab, then there is no optimization. Yet I still see the same errors...

starrcomm · ‎05-23-2011

The only thing I can think of at this point is to uninstall/re-install the sprint smartview application. When you are re-installing, make sure you do NOT check the box "Install bytemobile Optimization Client" (this is the first screen of the installation). Also, keep in mind that I am using version 2.50.0094 of the smartview application.

dino.mumfrey · ‎05-23-2011

I am usin the same version of SmartView, but TAC says my issue is this bug:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&from=myNotification&bugId=CSCto76864

Which states that because I am using AC 3.0.1047, that I have an issue of my air card disconnecting within the first few seconds due to a default route issue. It is fixed in AC 3.0.2047 (which is not out yet).