Knowledge Base

 
Reset Search
 

 

Article

Cradlepoint Secure VPN Troubleshooting

« Go Back

Information

 
Content

Cradlepoint Secure VPN Troubleshooting

Products Supported: AER31x0, AER2100, MBR1400v2, IBR11x0, and COR IBR6x0 Series. Click here to identify your router.


Quick Links

Summary

vCPE Software Issues

Tunnel Issues

Both Service and Tunnel are Connected

Moving vCPE to another server

Routing beyond vCPE

Related Articles


Summary

This article describes the most common issues encountered while setting up Cradlepoint Secure VPN and how to resolve them.

The Cradlepoint Secure VPN Agent is installed from a standard Microsoft Install Package which is downloaded from the Cradlepoint Secure VPN Administration Portal as part of the installation process.
The Agent makes an outbound SSL connection to the Cradlepoint Secure VPN platform, so there is no inbound access required. As part of the Agent setup a new virtual network adapter is installed on the Agent host.


vCPE Software Issues

Issue

If the vCPE status remains at "Connecting..." after the install or you receive the error message "Agent Connection Error: Authenticating Proxy". This indicates that an “authenticating proxy” setting is restricting the Agent from accessing the internet. The Agent runs as a Windows service under “localhost” so the authenticating proxy may not allow it to access the internet.

Explanation

The Agent makes an outbound-only SSL connection (on port 443) to the Cradlepoint Secure VPN service. On the majority of customer networks there are no firewall changes required to allow this, however in some scenarios this may be an issue.

Solution

It is likely that the vCPE is unable to connect to the internet via port 443. A proxy may need to be configured to allow this outbound access.

  • Open the vCPE management panel by double clicking the icon in the system tray.

User-added image

  • Click on the Configuration tab and enter the required proxy details:

User-added image

Authenticating Proxies

The vCPE runs as a Windows service under “localhost”. If you are using an “authenticating proxy” which needs to identify all services attempting to connect to the internet then the connection may fail even with the proxy details configured as per the image above.
In this case you will need to configure direct internet access (outbound 443) from the vCPE host machine.


Minimum System Requirements

If you are still having issues please make sure you are installing the Agent on a device that supports the minimum requirements for the Agent to operate:

  • Windows 32bit or 64bit OS
  • 32MB free disk space
  • 64MB memory
  • 10/100 Ethernet
  • Internet access (specifically outbound on TCP port 443)

Tunnels issues with the vCPE Software

Issue

The agent is installed, the vCPE Service is connected, but the Tunnel is Down, or stuck at Configuring....

Explanation

The Agent service has established its initial connection but the secure tunnel has failed to establish. This issue is usually caused by a problem with the virtual network adapter. It is likely that the virtual adapter has failed to receive its name, or IP address correctly. The adapter name and IP address should be configured as part of the agent install but we have seen occasions where this fails.

Solution

  • Restart the Agent

If the problem persists, check the status of the virtual adapter under the Network Connections of the Windows machine. The adapter should have a name, and should also have an IP address assigned to it. If the adapter is missing one or both items, we need to manually set them. The IP address should match the “Next Hop” address specified for that tunnel device on the CPSVPN Portal.

To change the Adapter settings Click the Start Button > Control Panel > Network and Internet > Network and Sharing Center, on the left Click "Change Adapter Settings". Here you should see an adapter present with the description "Asavie Virtual Network Adapter".

  • If the adapter is unnamed, Right-Click on the adapter, select Rename, and enter vCPE_tunnel for the name.
  • If the adapter does not have an IPv4 address assigned to it, we will need to assign one. You can check by Right-Clicking on the adapter, select Properties, highlight Internet Protocol Version 4 (TCP/IPv4), and select Properties once more. The Radial button should be on "Use the following IP address:" The IP address here should be the Adapter IP address found by logging into the CPSVPN Portal and selecting the vCPE page from the menu. If the IP does not match the Adapter IP address found on the Portal, then you will need to manually set it here.

User-added image

  • Next restart the agent, upon restart, the tunnel should now be Connected.

Both the vCPE Service and Tunnel are Connected

Issue

There is a rare instance that both the vCPE Service and Tunnel are connected, but you cannot access required resources or the server.

Explanation

A device which is successfully connected should always be able to ping their own VPN Gateway Address. The VPN Gateway Address is unique to each customer. This is the IP address of the per-customer virtual router within the Cradlepoint Secure VPN platform. You can find this address in the routing table (Status -> Routing) on the connected Cradlepoint.

Troubleshooting Steps

Try to ping the VPN Gateway Address, the Agent host server local IP address, or the actual server IP address from a device located behind the Cradlepoint router configured for CPSVPN.

  • To find the VPN Gateway Address, log into the Cradlepoint and navigate to Status -> Routing. The VPN Gateway Address will be listed as a 10.x.x.x/32 address. A device which is successfully connected to should be able to ping this address. If this ping test fails this might imply there is a problem with the vCPE Agent.
  • The Agent host server local IP address, is the IP address assigned to the vCPE adapter. A successfully connected device should be able to ping the Agent host server’s IP address. If this ping test fails (but test ping to VPN Gateway succeeded) check that the Windows Firewall on the agent host server is not interfering with the connectivity.
  • The CPSVPN service provides connectivity as far as the Agent host server by default. If the previous test succeeded, and the customer’s query relates to access to a server beyond the agent host then see the Routing beyond vCPE section in this article.

How to move vCPE to another server

Explanation

The following instructions provide details on how to move the vCPE software to another host using the CP Secure VPN portal. To move a vCPE we need to delete the existing one from the portal and add a new instance.

Steps

  • Step 1: Access the CP Secure VPN portal. Log into ECM, select Applications -> CP Secure VPN -> Manage -> Advanced Settings.

User-added image

  • Step 2: Click on the drop down arrow beside 'Status', and select vCPE to open the vCPE page:

User-added image

  • Step 3: Select the current vCPE and click Delete.
  • Step 4: Select Add vCPE.
  • Step 5: Enter the vCPE Name and vCPE IP address (the IP address should be chosen from the Subnet WAN IP range, you can check what this range is on the Status page):

User-added image

  • Step 6: Click Add. The vCPE Activation code and Download links will be displayed:
    User-added image

    • If you click 'Close', the vCPE Activation Code and Download links continue to be displayed as part of the vCPE details:

User-added image

  • Step 7: Follow this section of the installation guide to install vCPE.

Routing beyond vCPE

Explanation

The CP Secure VPN Setup Guides will help a customer to establish end-to-end communications between the server hosting their vCPE, and their remote devices (attached to their Cradlepoint routers).

There are two options to enable communication from other servers on their HQ LAN:

  1. Add a static route on the individual server which requires access to the remote devices (this would need to be repeated on each server which requires access).
  2. Add a route to their core router or default gateway.

Number 2 is the recommended approach as this will enable all other machines in the network to route traffic to the remote devices. In either case, the route added should indicate that traffic for the remote devices should be routed via the vCPE server.

For example in the network below imagine we want to allow Server X to communicate with the remote devices on Site A and Site B:

We would need to add a “Summary route” (either on Server X or to the Core Router), indicating that traffic for the remote sites should be directed towards the vCPE server (172.16.1.10).
The “summary route” is one which covers Site A (192.168.1.0, mask:255.255.255.0) , Site B (192.168.2.0, mask:255.255.255.0) and any additional sites. In this case 192.168.0.0, mask: 255.255.0.0 would be an appropriate Summary route to add.

User-added image

 

1) Adding a route on an individual server:
Instructions below refer to a Windows server

Open a command prompt and enter the route as follows:
route add –p {summary route network IP} mask {summary route mask} {vCPE server IP}

User-added image

2) Adding a route to a Core Router:

The syntax for adding a route on your core router will obviously depend on the type of route involved.

On a Cisco device the command would be similar to: Router(config)#ip route 192.168.0.0 255.255.0.0 172.16.1.10


Related Articles/Links


Published Date: 10/05/15

This article not have what you need?  Not find what you were looking for?  Think this article can be improved?  Please let us know at suggestions@cradlepoint.com
 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255