GlobalProtect VPN not working on T-Mobile Home Internet

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect VPN not working on T-Mobile Home Internet

L4 Transporter

Over the past couple of weeks we have been getting more and more support tickets stating that our users can't connect to GlobalProtect VPN. The one common thread they have is they all have T-Mobile Home Internet. Has anyone else noticed this? Is there a fix or workaround? Thank you.

7 REPLIES 7

L0 Member

The workaround that worked for me was to change the Maximum Transmission Unit (MTU) to 1300. Then I disconnected from the VPN and reconnected and everything started working again.

 

Here is a link that provides the steps to decrease the MTU on the Virtual Ethernet connection for Global Protect: https://community.t-mobile.com/troubleshooting-38/globalprotect-vpn-not-working-with-t-mobile-35992

Steps.png

L1 Bithead

We had similar issues in Switzerland with the Provider "sunrise". We also reduced the MTU size in the App Config of Global Protect. im currntly not 100% sure what the value is, if needed i can update the case here. But defently check the MTU size.

L0 Member

A command to test connectivity using different MTU’s was suggested by Palo TAC:

ping google.com -f -l XXXX   (XXXX being a value between 1200 and 1400)

we were unable to get over 1300 and never reliably .

I was getting an IP address in 101.188.67.134 IP Location: Melbourne, Australia AU From Central Ohio

machine would not connect reliably to anyconnect or Global Protect  The only GP connection was to Korea or SouthEast US

L0 Member

I have had Tmobile home internet for over a year now and my company has used Global Protect for that entire time, there has been no issue until June 2024. It started as global protect randomly shutting down a few times a week, and not allowing me to reconnect until I did a full system restart. Then it progressed to not allowing me to reconnect until I did a full system restart and restarted my router. Now, as of last week, I am having the same issue as the original poster - when global protect is connected all of our intranet sites plus our Microsoft 365 apps will work but all external websites i.e. Google won't connect. I tried IT and they didn't have a fix; had them try the above instructions and no luck. I tried calling T-Mobile and their troubleshooting didn't correct the issue. I tried another router between my hotspot and my work laptop, no luck. I CAN connect my work laptop to my iPhone hotspot without issue though so that's what I've been doing but that is not an acceptable long term solution. Is there a way to clone my iPhone internet settings to the router I have between my 5g Hotspot and my laptop?? I understand how to log into my router's wifi settings to enable/disable IPv6, etc. but nothing else seems to work. My laptop has the capability to run IPv6, my 5G Hotspot has the capability, my router has the capability it appears only Global Protect lacks this function...any thing els I can try??

Hi @DRAGONTATTOO ,

You mentioned IPv6 at the end... And you said GP is connecting successfully when your corp laptop is connected to iPhone hotspot. Does your iPhone hotspot give you IPv6 address or only IPv4 or both?

On your corporate laptop can you run the following in PowerShell, what is the output?

Get-NetAdapterBinding -ComponentID ms_tcpip6 | Format-Table Name,ComponentID, Enabled

Above should list all of your interfaces and if IPv6 is enabled or disabled

 

Previously it was best practise to disable IPv6 on the corporate device, because the VPN solutins and the firewalls (and the network administrators) were not prepared for IPv6 or dual-stack and having IPv6 enable while your VPN tunnels only IPv4 provide an easy way for the traffic to bypass the VPN tunnel.

 

More Internet providers are adopting IPv6 and home router either provide IPv6 only or dual-stack. If your company is strickly disabling/preventing IPv6 this could be causing issues for the GlobalProtect.

 

But this is little shooting in the dark. Can you try again in PowerShell:
- "nslookup google.com" what is the output?

- "nslookup <globalprotect portal>" what is the output?

- " ping -f -l <xxxx> google.com" where <xxxx> is number between 1400 and 1200. Start from the top and if you see "Packet needs to be fragmented...", decrease the value and try again until you see "Reply from...". What is the max value before you see replies?

- Check the content of this file, scroll to the bottom and check the last 10-20 lines - "C:\Program Files\Palo Alto Networks\GlobalProtect\pan_gp_events.log". Can you share the content

You many want to obfuscate the any IP address or GP portal hostnames from the above outputs before sharing

I had issues with Tmobile and GP a few months back, I have two gateways and it was only affecting one, Connect to GP but all intranet pages and RDP would just time out. Other gateway worked normal.

Spent a lot of time going down the wrong rabbit hole but collected a ton of information on settings, configs, and test results. . . . Contacted Tmobile and of course, the Telocomm engineers were gone for the day, told me to call back the next day; but I need to be home to test and talk with them... small window of opportunity.

Get home and test and its working again on the problem gateway.. Great.

Fast forward to the past 3 days and BOTH my gateways are hosed, Connect to GP okay but intranet sites and RDP fail.

Read read read, test test test

1300 MTU did not fix it

Setting a static WiFi IP did not fix it

I am not messing with the server-side settings as they were working and I have not changed anything and don't want to do anything to hose other people. (funny thing is a coworker lives a block from me and has Tmobile and does NOT have the issue).

Found this thread tonight and decided to try 1280 MTU (lowest I can go on the Mac) - Viola !!  Working again and seems MUCH faster than before (strange eh?).

 

Our GP server side is IPv4, my home networks are IPv4, Tmobile public IP right now is IPv4 but I think I have seen it with both in the past.

 

Bottom line, for me, the fix was setting my Mac to 1280 MTU

 

Tmobile is not going to help but this forum sure did, Thank you !

1280 MTU (lowest available on my Mac) is what worked, 1300 did not work and I see in other posts around that lower than 1300 is the fix and it was for me.

  • 14105 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!