Question

VPN issues

  • 9 January 2021
  • 99 replies
  • 59368 views

Userlevel 1
Badge

All devices and home network are good. Signal strength is 2 bars (weak, but functional).  Spouse needs to set up VPN to work from home, but even IT from the office could not get VPN to work via T-Mobile Home Internet.  VPN worked just fine on the same computer using cable network. 


99 replies

Userlevel 4
Badge +1

If you have the new Nokia 5G gateway there are many corporate level VPN’s like PaloAlto Networks GlobalProtect that do NOT work.  Many reports of this and hopefully T-Mobile responds quickly to fix.  These same VPN’s DO work on the white Askey gateway and on the Franklin hotspot.

 

T-Mobile PLEASE, PLEASE, PLEASE address this as a priority and roll-out an update ASAP.   Thank you.

Userlevel 1

I just got the same message sent to me as Josh123. I’m in IT and work for a large company and troubleshooted the issue with our engineers for a few hours to figure out this is on the T-Mobile side. We are all amazed that they can’t support and won’t support ipv4 and what is more troubling is that they actually give you an ipv4 address for your external gateway which is the same thing Comcast and I’m guessing others are doing. So it makes no sense. The speeds have been awesome as we are less that 5,000 feet from the tower. Everything works great except the most import thing which is being able to use my VPN client. We use Global Protect by PaloAlto.

I was able to solve my VPN issues using the guidance in https://amithkumarg.medium.com/resolved-t-mobile-home-internet-vpn-issue-2f5ca594c23e.  This was on a MacBook + Cisco AnyConnect.  I don’t think I needed to change all of them, but I set the MTU on four network adapters to 1350:

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1350
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1350
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1350
utun2: flags=80d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1350

Assuming this is something that can be fixed at the router level, I really hope T-Mobile pays attention to this thread.  Not every user is going to be tech savvy enough to do this on their own.

I’m having the same issue.  If I can’t get it resolved, I’m going to have to cancel my service and go back to Spectrum.

Userlevel 7
Badge +11

Seems to be a recurring theme.

 

Userlevel 1

TINC will also works out of box BUT that doesn't help most people that need the VPN for work sadly. I am not going to make massive changes to the environment for 1 person out of 300+ connections. This is going to be a show stopper for lots of people, especially with all the remote working going on.

Userlevel 1

Same issue over here… on a Nokia 5g Gray. Coworker on the 4g White reported same issue after a firmware update was pushed. IPSec VPN is not working over Tmo home internet. I tried both work and home. PPTP oddly enough worked, but that's not a reasonable solution nor is it secure. I really doubt anyone’s employer is going to re-architect their infrastructure for dual stack VPN for a single or a hand full of employees. Same VPN’s work when connected via TMO hotspot on my cell… so I am not sure why they are blocking it. No options in the web console. Not very happy… Hell, charge me $5 more a month to make it work… Looks like TMO was not the escape plan I had hoped for getting away from comcast.

I’m having the same issue here. 

Using my old internet connection, I have no issues. The moment I switch over to T-Mobile Home Internet, I can’t login to the VPN.

Any ideas?

Userlevel 1

ITGuy3323, I am also in IT and very disappointed.  I have ordered Starlink now but was really hoping T-Mobile would have a solution but nothing.  I can't even pay more to get a static IPv4 address.  I have read that T-MOBILE is sharing IPv4 addresses.

Userlevel 1

Mine was just the MTU issue, was able to resolve it by lowering the number. If this blog can be helpful for anyone to troubleshoot and resolve the issue:
https://amithkumarg.medium.com/resolved-t-mobile-home-internet-vpn-issue-2f5ca594c23e

Userlevel 1

This is what support sent me.  Sent it to my IT to see if Cisco Any connect supports this.  My IT is not willing to enable IPv6 due to extra maintaince and security patching.  No T-Mobile for me.

There are no known issues with VPNs and how they interact with the T-Mobile network to provide internet service. There may be an underlying factor (that can only be addressed by the owner of that VPN client) where there is a need to have ipv4 and ipv6 double stacked into the setup configuration to avoid any service issues. Please have the customer reach out to their VPN client support to check if this is indeed the configuration being used and to also further troubleshoot the VPN issue.   Failed outbound VPN connection is caused by a known carrier grade NAT issue relating to T-Mobile’s implementation a fully IPv6 network and the implementation of 464XLAT, NAT64, and DNS64 for accessing IPv4 resources. The customer’s VPN or VPN server they are connecting to is not properly configured to work with an IPv6 network. This is a third party issue that T-Mobile cannot help with.Thanks for being best part of T-MobileBest Regards!

I’m having the same issues with connecting to my wife’s company’s VPN.  I thought I’d be able to get away from Spectrum, but T-Mobile doesn’t like like a viable solution - despite significant efforts on my part to make it work.

About three weeks ago, I tried connecting to T-Mobile. Initial attempts in connecting to T-Mobile weren’t good – and I was only able to achieve download speeds of 15 mbps.  I called their technical support and found they were having tower/equipment issues - and had been for about 3 weeks - with no anticipated date for repair.  I put back the Spectrum service and told them I’d try it again when they had their equipment issues fixed.

 

ON 2/1, I re-installed the T-Mobile Gateway equipment - NOKIA 5G21 GATEWAY: T-MOBILE HOME INTERNET and connected T-Mobile Gateway via Cat 5 ethernet directly to my TP-Link Archer AX11000 wireless router.  I did repeated internet bandwidth testing using Speedtest - both through my computer’s Chrome browser, and through the TP-link app - directly from the wireless router.   I wasn’t having any issues with any of my internet-based usage and needs -   achieving download speed ranging on the low-end from 50 Mbps to 110 Mbps. We can stream 4K programming to our TV’s, monitor outdoor 1080p security cameras, conduct video conferences, and all of the normal data applications and downloads. 

Using a Cisco AnyConnect VPN is a WHOLE DIFFERENT STORY.  It DOESN’T WORK with T-Mobile. As soon as I connect to the VPN, my internet speed/bandwdth is non-existent and I can’t access any of the company systems.  Beginning on Friday, I spent two days troubleshooting the issue.  In every case, I would have connection bandwidth speeds between 50 Mbps to 110 Mbps on all of my devices - including the computer I need to connect to the VPN.  With my first attempt, I used Speedtest on two successive runs, with upload speeds were 15 and download speeds were 49 and 72.  Next, I successfully connected to the company VPN  (IPsec) IPv4) , ran Speedtest, and received 10 down and 1 up, and then 6 down and 10 up.  I simultaneously ran the TP-Link Speedtest app and received 86 down and 7 up.  I disconnected from the company VPN, and recorded speeds of 70 Mbps. 

Later on in the evening, we ran more comparative tests and the results were even more disconcerting.  The T-Mobile speeds in general were lower – averaging about 50 down and 8 up – as measured both on my wife’s computer through her Chrome browser using Speedtest prior to VPN connection and independently on my TP app also using Speedtest.  However, once connected to the VPN, opening the Chrome browser and attempting to run Speedtest, I couldn’t even get the Speedtest to run – receiving “Download Test Error”. 

The company’s IT Director took the computer home over the weekend to troubleshoot it in his home environment with Spectrum.  He had no problem connecting through the VPN, and recorded speeds in excess of 70Mbps.

This evening, I again attempted to connect to the VPN, and had the same results.  After a 2 hour wait to get T-Mobile support, I had a nice support rep who simply took down my information, created a trouble ticket, and said someone will get back to my in 24 - 48 hours.  After reading all of the other people who are having the same issues, and having no addressable solution, I placed an order for Spectrum to have my service restored.

 

 

 

Userlevel 2
Badge

Update: They did in fact end up rolling my firmware back and it is working again.

 

@FlyingDog For sure the performance is worse when connected to the VPN.  The previous several months this was always the case for me, I’d get about a 10-fold reduction in download speed and there was always massive latency.

Userlevel 1

This is the response I got back from them….“This is the workaround engineering has provided to us. We only use IPv6. This is a known pain point that is currently under review. There currently is nothing to escalate”

Badge

Tech support said they were all due to VPN set up issues asking to dual stack IPV4 and IPV6.

But why the existing set up works fine with the Specturm cabble not on T-Mobile 5G home internet?

The VPN set-up allows both IPV4 and IPV6.

I am not convinced the tech support’s assertion about dual stacking of IPV4/IPV6.

I am about to return it.

Some troubleshooting info for folks: I had to swap from WireGuard to OpenVPN, had to swap from a UDP to a TCP connection type and I was able to get my VPN to function.

I switched to T-Mobile home internet couple days ago and I realized that my and my spouse’s VPNs did not work. I called Tmobile and they updated the firmware and my Global Protect Network worked then, but my spouse’s Cysco VPN did not work at all and they said they would give us a call back within 24 hours but never got a call back yet, in 48 hours. My Global protect does not work anymore either and I have to sign in to work tomorrow. I live in an area where there are many t-mobile service towers, I think. And I have been using their wireless for years and am happy with their wireless service. I’m not sure if I can afford the time to keep calling tmobile and be on a  2-hour call with a t-mobile technician. I’m planning to go back to my old service provider. I would have appreciated if t-mobile was transparent upfront and let their customers know they there might be VPN issues. I’m unhappy with the tmobile home internet service!

I too am having this issue with the Grey T-Mobile Gateway and GlobalProtect. I live out in the middle of nowhere so we don’t have any other real high speed options by any definition of the word. It is very unfortunate that when I finally sign up for a real high speed option, it doesn’t work with my company’s VPN. My company won’t change anything since I am 1 case in about 8000 employees so I hope there will be a fix soon from T-Mobile.

Honestly though, I can’t imagine their QA team did enough testing before releasing this product. They have to have known that people would intend to work on this network through a VPN. 

Userlevel 1

What version firmware are you on?

also, what did you end up setting your MTU to for GPVpn?

My configuration is this:
Host: Apple Mac OS X 10.15.7
VPN:
Provider: GlobalProtect v5.0.9–15 Palo Alto Networks
Tunnel Mode: IPSEC
T-Mobile Home Internet Gateway:
Model: 5G21–12-A Grey
Hardware Version: 3TG00739AABB
Software Version: 1.2003.03.0178

And the MTU I set to 1350, using this command “
sudo ifconfig gpd0 mtu 1350”

I’m extremely disappointed that T-Mobile does not publish a list of incompatible VPN devices. This country is working from home, many with VPN devices. I have been on several long waits and calls only to find out T-Mobile does not support the Cisco Meraki VPN. My company’s IT team has had similar issues with other carriers but resolved it with getting a static IP Address assigned. This is not an option from T-Mobile. My company will now inform new employees which carriers to use, I guess some will be blacklisted. What are the chances T-Mobile will notify me IF this problem is resolved before I return to my ISP that just buried fiber in my street? Aside from this, the 5G home router works excellent for all my other connected devices.

Just adding to this - I want to use this service so badly!  Currently on my 4th day and still have Comcast while I was testing and found this issue.  Unfortunately, it’s a deal breaker and Ill have to go back to Comcast if this doesn’t work, my wife is a nurse and needs to be able to VPN to work, as do I for my job.

Any updates on this T-Mobile?

Been fighting this issue for a couple of months. On my windows 10 laptop connected to Cisco Anyconnect VPN I had the IT administrator reduce my MTU to 1350 via this command

 

netsh interface ipv4 set subinterface “Network Name” mtu=1350 store=persistent 

 

substitute Network Name with your whatever your actual connection in.  Mine was Ethernet 2.

It worked.  I’m connected to VPN and have blazing speed.

Got my gateway 3 days ago. No success accessing my employer VPN either. I will call IT and TMO support, but it seems Comcast is very happy right now...

I have had the T-Mobile Home Internet Service for about 2 months now and have been fighting non-stop with the VPN issues. I use Cisco AnyConnect for my work and constantly have issues with applications needed for work, mostly Microsoft Teams. When NOT connected to the VPN my download is about 75mbps and upload about 25mbps, all very good numbers. However, once connected to Cisco AnyConnect those numbers come down to almost a crashing halt of 2.5mbps down and 2.0mbps up… it is absolutely awful and quite honestly embarrassing because I have to be on Microsoft Teams all day including conferences.

I’ve talked to the tech support and it was elevated to a second tier, but that resulted in no solution. Their belief is that the VPN was the problem and that I needed to speak with my employer’s IT department about it… so I did. I opened up various tickets through my employer and went in to the office so they could do additional diagnosing. They could not find anything wrong, in fact, had me log in to the VPN via their network and it worked just fine. 

I have starlink service on order and hope to have it here in a month. Ideally for the cost and what I anticipated being great performance by T-Mobile, I would prefer to keep T-Mobile. However, I simply CANNOT wait much longer especially if the company appears to be denying even an issue.

Hope T-Mobile comes to the rescue.

This fixed it for me. I had problems using WireGuard VPN. I couldn’t reach many sites and it was very slow.

https://amithkumarg.medium.com/resolved-t-mobile-home-internet-vpn-issue-2f5ca594c23e

Short version is you need to lower the “MTU” setting on your machine’s network adapter

For me on my macbook, it was the “wifi” “en0” device, either at the terminal with “sudo ifconfig en0 mtu 1350” or going to “Network Preferences > Advanced > Hardware” and manually configuring the MTU to 1350. 

Reply