VPN issues

If you have the new Nokia 5G gateway there are many corporate level VPN’s like PaloAlto Networks GlobalProtect that do NOT work.  Many reports of this and hopefully T-Mobile responds quickly to fix.  These same VPN’s DO work on the white Askey gateway and on the Franklin hotspot.

T-Mobile PLEASE, PLEASE, PLEASE address this as a priority and roll-out an update ASAP.   Thank you.

I was able to solve my VPN issues using the guidance in https://amithkumarg.medium.com/resolved-t-mobile-home-internet-vpn-issue-2f5ca594c23e.  This was on a MacBook + Cisco AnyConnect.  I don’t think I needed to change all of them, but I set the MTU on four network adapters to 1350:

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1350
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1350
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1350
utun2: flags=80d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1350

Assuming this is something that can be fixed at the router level, I really hope T-Mobile pays attention to this thread.  Not every user is going to be tech savvy enough to do this on their own.

Same issue over here… on a Nokia 5g Gray. Coworker on the 4g White reported same issue after a firmware update was pushed. IPSec VPN is not working over Tmo home internet. I tried both work and home. PPTP oddly enough worked, but that's not a reasonable solution nor is it secure. I really doubt anyone’s employer is going to re-architect their infrastructure for dual stack VPN for a single or a hand full of employees. Same VPN’s work when connected via TMO hotspot on my cell… so I am not sure why they are blocking it. No options in the web console. Not very happy… Hell, charge me $5 more a month to make it work… Looks like TMO was not the escape plan I had hoped for getting away from comcast.

Mine was just the MTU issue, was able to resolve it by lowering the number. If this blog can be helpful for anyone to troubleshoot and resolve the issue:
https://amithkumarg.medium.com/resolved-t-mobile-home-internet-vpn-issue-2f5ca594c23e

This is what support sent me.  Sent it to my IT to see if Cisco Any connect supports this.  My IT is not willing to enable IPv6 due to extra maintaince and security patching.  No T-Mobile for me.

There are no known issues with VPNs and how they interact with the T-Mobile network to provide internet service. There may be an underlying factor (that can only be addressed by the owner of that VPN client) where there is a need to have ipv4 and ipv6 double stacked into the setup configuration to avoid any service issues. Please have the customer reach out to their VPN client support to check if this is indeed the configuration being used and to also further troubleshoot the VPN issue.   Failed outbound VPN connection is caused by a known carrier grade NAT issue relating to T-Mobile’s implementation a fully IPv6 network and the implementation of 464XLAT, NAT64, and DNS64 for accessing IPv4 resources. The customer’s VPN or VPN server they are connecting to is not properly configured to work with an IPv6 network. This is a third party issue that T-Mobile cannot help with.Thanks for being best part of T-MobileBest Regards!

Update: They did in fact end up rolling my firmware back and it is working again.

@FlyingDog For sure the performance is worse when connected to the VPN.  The previous several months this was always the case for me, I’d get about a 10-fold reduction in download speed and there was always massive latency.

Tech support said they were all due to VPN set up issues asking to dual stack IPV4 and IPV6.

But why the existing set up works fine with the Specturm cabble not on T-Mobile 5G home internet?

The VPN set-up allows both IPV4 and IPV6.

I am not convinced the tech support’s assertion about dual stacking of IPV4/IPV6.

I am about to return it.

I switched to T-Mobile home internet couple days ago and I realized that my and my spouse’s VPNs did not work. I called Tmobile and they updated the firmware and my Global Protect Network worked then, but my spouse’s Cysco VPN did not work at all and they said they would give us a call back within 24 hours but never got a call back yet, in 48 hours. My Global protect does not work anymore either and I have to sign in to work tomorrow. I live in an area where there are many t-mobile service towers, I think. And I have been using their wireless for years and am happy with their wireless service. I’m not sure if I can afford the time to keep calling tmobile and be on a  2-hour call with a t-mobile technician. I’m planning to go back to my old service provider. I would have appreciated if t-mobile was transparent upfront and let their customers know they there might be VPN issues. I’m unhappy with the tmobile home internet service!

My configuration is this:
Host: Apple Mac OS X 10.15.7
VPN:
Provider: GlobalProtect v5.0.9–15 Palo Alto Networks
Tunnel Mode: IPSEC
T-Mobile Home Internet Gateway:
Model: 5G21–12-A Grey
Hardware Version: 3TG00739AABB
Software Version: 1.2003.03.0178

And the MTU I set to 1350, using this command “sudo ifconfig gpd0 mtu 1350”

Been fighting this issue for a couple of months. On my windows 10 laptop connected to Cisco Anyconnect VPN I had the IT administrator reduce my MTU to 1350 via this command

netsh interface ipv4 set subinterface “Network Name” mtu=1350 store=persistent 

substitute Network Name with your whatever your actual connection in.  Mine was Ethernet 2.

It worked.  I’m connected to VPN and have blazing speed.

I have had the T-Mobile Home Internet Service for about 2 months now and have been fighting non-stop with the VPN issues. I use Cisco AnyConnect for my work and constantly have issues with applications needed for work, mostly Microsoft Teams. When NOT connected to the VPN my download is about 75mbps and upload about 25mbps, all very good numbers. However, once connected to Cisco AnyConnect those numbers come down to almost a crashing halt of 2.5mbps down and 2.0mbps up… it is absolutely awful and quite honestly embarrassing because I have to be on Microsoft Teams all day including conferences.

I’ve talked to the tech support and it was elevated to a second tier, but that resulted in no solution. Their belief is that the VPN was the problem and that I needed to speak with my employer’s IT department about it… so I did. I opened up various tickets through my employer and went in to the office so they could do additional diagnosing. They could not find anything wrong, in fact, had me log in to the VPN via their network and it worked just fine. 

I have starlink service on order and hope to have it here in a month. Ideally for the cost and what I anticipated being great performance by T-Mobile, I would prefer to keep T-Mobile. However, I simply CANNOT wait much longer especially if the company appears to be denying even an issue.

Hope T-Mobile comes to the rescue.

If they plan to roll this out for business and personal use they need to fix this or it's going to be a massive fail. I've tried factory resetting the router 10+ times and still can't get the update to push. For now I'm  still using my phone hotspot but the whole point of subscribing to T Mobile Home Internet was because it won't play nice on Teams calls/meetings.

Update: It’s now Thursday morning. T-Mobile support had promised to call me back on Tuesday morning with an update (they didn’t). I checked today and saw that I had finally been downgraded to firmware 168. I tried my Global Protect VPN and it actually works! I’ll try working the rest of the day on that to see if it continues to work.