× Our systems will undergo a planned maintenance on Sunday, May 19, 2024, between 12:00 AM and 02:00 AM Pacific Time. During the maintenance window, you will not be able to log in to your MyNETGEAR account (including apps), renew a subscription, or register a product. However, you will still be able to use guest checkout to purchase a new product or subscription service. Updates will be posted to Status.NETGEAR.com. We apologize for any inconvenience this may cause.
× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973
Reply

Can't authenticate to corporate VPN (or outlook web email) using RBR50

DS9797
Aspirant

Can't authenticate to corporate VPN (or outlook web email) using RBR50

When trying to authenticate to my work VPN, I have to switch to a hotspot from my phone.  Once the connection has been made, I can switch back to wifi, and the connection is fine.

 

I have a similar issue with outlook.office.com, where that fails to connect to the authentication. I've not tried the same hotspot and back technique for email.

 

It seems like some protocol or dns is blocked, but I've no idea what.

Message 1 of 11
CrimpOn
Guru

Re: Can't authenticate to corporate VPN (or outlook web email) using RBR50

Does this router have Armor or Smart Parental Controls (SPC) enabled?

 

What sort of device is running the VPN software? (laptop? tablet? Windows? Mac?)

Is this one of the typical VPN clients, or a special "corporate version"?

What sort of error message appears in the VPN log?

 

 

 

Message 2 of 11
DS9797
Aspirant

Re: Can't authenticate to corporate VPN (or outlook web email) using RBR50

The VPN is a corporate VPN using Palo Alto's Globalprotect.  But the authentication might be through a SecureAuth product.

 

The error message that I see - which is on the client end - says "the network connection is unreachable or the portal is unresponsive."  But any other network activity (not requiring the VPN) is fine.

 

Not running parental controls.

Message 3 of 11
CrimpOn
Guru

Re: Can't authenticate to corporate VPN (or outlook web email) using RBR50

Thanks.  Guessing a Windows 10 or 11 laptop.

 

The strange part is that a connection through a cell phone Hot Spot and a connection using Orbi WiFi will appear to the corporate VPN server as coming from two different network locations.  The public IP address of the Hot Spot will be different from the public IP address of the Orbi router.

 

I would expect the log file to show two separate connection attempts to the same IP address, with both being successful.

 

Is it possible to increase the level of detail in the VPN log?

Corporate use of VPN has been common for over a decade.  It might be that the IT staff has run into situations like this before?

 

 

Message 4 of 11
DS9797
Aspirant

Re: Can't authenticate to corporate VPN (or outlook web email) using RBR50

I'll be in the office tomorrow and will see what I can find.

 

Because yes, that's very strange.

Message 5 of 11
CrimpOn
Guru

Re: Can't authenticate to corporate VPN (or outlook web email) using RBR50

VPN allows the user to connect to "any network" and have a secure connection.  What happens when connected to other networks? (friends, coffee shop, airport, medical office, etc. etc.)

Message 6 of 11
DS9797
Aspirant

Re: Can't authenticate to corporate VPN (or outlook web email) using RBR50

This thing is strange.  The VPN isn't really IP based. Rather, after passing the authentication procedure - which may be another 3rd party application - a token of some sort is place on the machine, which allows connection to the VPN for 24 hours. If briefly disconnected, the reconnection will be seamless.  Thus, you can change networks / IP addresses and it will still work, as long as the initial authentication occurred within 24 hours.

 

The VPN logs just show that I was not authenticated. Well, that's not really a surprise, although it does confirm that I can hit the VPN appliance itself.

 

What I can't seem to trigger/hit/pass through is the authentication service.  At least, not while on my Orbit, although I can via hotspot.

 

And yes, I have used it while on other networks - hotel, car dealerships, etc. Generally without problems, although it's been reported that some such networks block required ports.  I have had that issue years ago, when the company  used a different VPN. I've not had any problems in years - except my current home network!

My wife has no issues connecting to her work's network at home.

 

I"ve seen some talk of overlapping IP addresses, but based on the results of my ping tests, that's not the issue.

 

 

Message 7 of 11
CrimpOn
Guru

Re: Can't authenticate to corporate VPN (or outlook web email) using RBR50

Most VPNs have a configuration file stored locally.  (OpenVPN, for example, calls theirs *.ovpn files.  In the config file is an IP or a URL which is used to locate the VPN server.  Because most residential internet accounts are provided with dynamic IP addresses (so the ISP can change them now and then), it is really common to set up a Dynamic DNS account which translates a URL into the current IP address the server.  When we configure our Orbi routers to act as OpenDNS servers, for example, Netgear has us select from one of three DDNS providers (Netgear, No-IP.com, or Dyn.com).  That is because every DDNS service uses a unique mechanism to synchronize the customer's public IP address with their database when the ISP changes it.  It would be impractical to write software to accommodate every DDNS service, so Netgear picked only three.  Most corporations pay for a static public IP address to avoid having to deal with ISP changes.

 

There is definitely a potential issue with overlapping IP addresses because they can confuse the client computer.  When corporations set up a private IP address space for their network, they tend to avoid using 192.168.x.x and 10.0.0.x because those private spaces are used by nearly every residential router network.  There have been posts on the forum from users who want to make VPN connections to two different family networks at the same time and are frustrated because both family networks have the same IP space, usually 192.168.1.x  Not likely to be an issue confronting you in this specific situation.

 

This is an area where the "nerd tools" people like me would use are not well-suited to the general public.  My approach would be to set up Wireshark to capture every packet sent through the Windows VPN adapter or the actual WiFi adapter.  This would make a record of where the computer tried to communicate with.  The actual communications will be encrypted, but the pattern should indicate the pattern of communications.

 

The IT guys had no suggestions?

Message 8 of 11
DS9797
Aspirant

Re: Can't authenticate to corporate VPN (or outlook web email) using RBR50

No real suggestions, no.

 

When trying to connect to the VPN, the first thing it does is redirect to an authentication site. I cannot hit that site via a URL while using my home network. It times out with no response.

 

That's true whether I use the "alpha" format  xxx.xxxx.com/xxx that would go through DNS, or if I use an IP address n.n.nnn.nn/xxx.  (n being numeric).

 

I suppose I could hardwire my laptop to my cable modem to see if Spectrum is blocking that address.  But I seriously doubt that's the issue. I guess I could ask around, but there aren't enough high speed internet providers in town for no one else to have that same problem if it were due to my ISP.  Which leaves the network.  And he's got no suggestions for that.

 

I did find one similar thread here. The solution was supposedly "enabling VPN" on the Orbi router. But ... that's to allow you to VPN from outside to in, no? Why in the hell would that be needed?  I'm stumped.  I'm IT, but more of a database design / programmer guy than networking expert. 

Message 9 of 11
DS9797
Aspirant

Re: Can't authenticate to corporate VPN (or outlook web email) using RBR50

Message 10 of 11
CrimpOn
Guru

Re: Can't authenticate to corporate VPN (or outlook web email) using RBR50

Does the authentication site respond to ICMP ('ping')?

 

With no Armor and no Parental Controls, the Orbi should not block any web connection.

There should be no issue with connecting directly to the ISP modem (except losing internet throughout the entire house temporarily).  I think your assumption that the ISP is not blocking the connection will be validated, but it never hurts to try.

 

Message 11 of 11
Top Contributors
Discussion stats
  • 10 replies
  • 554 views
  • 0 kudos
  • 2 in conversation
Announcements

Orbi WiFi 7