GlobalProtect 3G issue on Windows 8 pro tablet

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.

GlobalProtect 3G issue on Windows 8 pro tablet

L1 Bithead

Hi,

we installed GP 1.2.1 on a Windows 8 32 bit pro tablet (thinkpad 2). With WiFi it works perfectly but when we use 3G, we can't even open the Portal website in the Internet Explorer and the GP client can't connect.

I thought it could be a problem with the certificate but then it would not work with WiFi?

1 accepted solution

Accepted Solutions

L3 Networker

Hi,

i had the same issue on a Win 8 x64 Laptop with integrated 3G Modem and a Vodafone Germany contract.

But on my older Win7 X64 Laptop it worked without problems with the same contract.

If you have a business contract with Vodafone the 3 G should always get an routable IP. Using a private contract could lead to get a private non-routable IP and the NAT from Vodafone might bring up the issues.

In my case the problem was caused by a MTU size for the 3G Modem that was much too large.

I set the MTU tu a normal value and now it works fine.

To check the MTU open a cmd with admin privilege and use

netsh interface ipv4 show interfaces


To change the MTU look for the right Index of the 3G Modem (the Idx in row 1 of the above command) and issue the following command (in the following example the Idx is 25):

netsh interface ipv4 set subinterface 25  mtu=1476 store=persistent


HTH

View solution in original post

5 REPLIES 5

L4 Transporter

Could it be your 3G provider that filters ipsec or something like that ? Can you try your 3G card on another system that runs Windows 7 or a Mac ?

L7 Applicator

I ran into a similar issue with the IPSec GP function on a Windows 8 tablet with 4G-LTE. The issue was caused by the client sending a large MSS (something like 4000 bytes). When an HTTP 200 response was sent by the server, it was larger than 1500 bytes. The server-side was correctly transmitted on multiple frames, but when the PA transmitted it, it would transmit as a single, IP-fragmented packet. The PA must do that as the client is indicating its wishes for the frame to be sent as a single chunk. Since the MTU of the firewall (and next hop) is 1500, the packet must be fragmented.

The client-side sent the 4000-byte MSS and should have been ok with the IP fragmentation, but those fragments were never making it back to the client. The solution was never really ironed out, but the correct solution is to either lower the MSS on the inbound SYN (could be from the tablet or from the carrier, I'm not sure) or to convince the carrier to transmit the fragmented IP traffic back to the client.

You can see if this is the same issue by taking a packet capture on the firewall and checking the transmit stage. If you see fragmented IP frames leaving toward the client but never getting an ACK, it's probably the same issue.

Hope this helps,

Greg Wesson

..we tried it with a notebook running windows 8 64bit and a 3G USB stick and it's working, so our provider (Vodafone Germany) doesn't seem to be the problem. Maybe it's the tablet's internal 3G modem.

L3 Networker

Hi,

i had the same issue on a Win 8 x64 Laptop with integrated 3G Modem and a Vodafone Germany contract.

But on my older Win7 X64 Laptop it worked without problems with the same contract.

If you have a business contract with Vodafone the 3 G should always get an routable IP. Using a private contract could lead to get a private non-routable IP and the NAT from Vodafone might bring up the issues.

In my case the problem was caused by a MTU size for the 3G Modem that was much too large.

I set the MTU tu a normal value and now it works fine.

To check the MTU open a cmd with admin privilege and use

netsh interface ipv4 show interfaces


To change the MTU look for the right Index of the 3G Modem (the Idx in row 1 of the above command) and issue the following command (in the following example the Idx is 25):

netsh interface ipv4 set subinterface 25  mtu=1476 store=persistent


HTH

Hi,

changing the MTU solved the problem (it was 2048).

Thanks a lot for your help  Smiley Happy

  • 1 accepted solution
  • 4608 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!