01-14-2015 10:25 AM
I am an IT support representivate for a company, and all of our users who are on Verizon FIOS who work from home, have issues with their VPN connection to us.
Everyone else who uses a different ISP do not have the issue.
They can establish a VPN connection still, but we have to exit and re-open client side software to try and reconnect out again, particularly the Citrix Receiver software that pulls their published applications from our Xenapp servers once their VPN is established.
Is there any restrictions or limits being placed on out end-users who are using FIOS when their VPN connection comes into play?
I've tried removing their IPv6 as well as setting their DNS to Google's public 220.127.116.11 but that doesn't appear to help.
Do our residential users need to call Verizon to have their routers updated or modified to allow for a more seamless VPN connectivity?
Solved! Go to Solution.
01-14-2015 10:34 AM - edited 01-14-2015 10:39 AM
Hi, I have seen the TOS regarding network management and it states that there are no restrictions.
Except as noted below with respect to blocking outbound traffic on port 25, Verizon Online does not block or rate-control specific protocols or protocol ports other than for security reasons as set forth below, modify protocol fields in ways not prescribed by the protocol standard, or otherwise inhibit or favor certain applications or classes of applications of traffic on our Internet access service.
As far as Verizon or FiOS is concerned, they don't particularly care what kind of traffic you send as long as it's not illegal,.
Folks that have had trouble with VPN's have had a slew of things fix it, but in general if you have a properly configured Firewall at the Verizon Router level, and the user PC level, then you shouldn't have an issue.
I've also seen that software (on fios) likes an MTU of 1492 (shouldn't, but other users of citrix have said that it helps)
01-14-2015 11:50 AM - edited 01-14-2015 11:51 AM
I use a Cisco "Anyconnect" VPN to connect to my work for hours or days all the time over FiOS. I've no problems with it.
Note that unlike other ISPs, most Verizon users will be using a Verizon supplied router that includes a stateful firewall. Perhaps your comapny's VPN configration doesn't play nicely with the firewall. Users can adjust the firewall settings, you might want to try that with one one or two people who know what they are doing. For what it's worth, I am using the default "medium" setting on my Verizon router.
FiOS is an IPv4 network only. People who want IPv6 connectivity to the Internet have to run a tunnel service on their end nodes. If your VPN expects IPv6 connectivity, that could be a contributing factor.
09-22-2016 09:32 AM
I am using a Juniper Networks VPN client. I have no issues with it anywhere, EXCEPT at one of my job sites that has Verizon FIOS. It seems to me that the VPN is blocked right at the router. When I run a tracert it stops at the router. It looks like Verizon is using the router to block VPNs to control the amount of "torrenting" and other mass download actions. They have plausible deniability because they are not actually blocking it on their end. They get the vender to install it in the router. They have been busted in the past for “throttling” traffic on lines they thought were torrenting. This is just another lie fabricated so that Verizon can, not supply the services for which it is being paid. I think the FCC should be looking into this as well as the Justice Department. Looks like racketeering to me.
09-22-2016 05:11 PM
Speculation and conjecture on grand conspiracies are nothing more than that ... I am certain Verizon is not "blocking" anything by design or thru some "secret" deal with a third party.
I have had Verizon FiOS for years and used a variety of remote access products all with a great deal of success. The problems that we've traced over the years have all been related to somewhat tricky mechanics of how VPN's work and most always there are ways around it -- but not always from the client side.
With respect to tradition IPSEC VPN's, the biggest issues have usually been with the NAT, firewall settings (either on the client or router), or UDP based configurations. This is a typical configuration from traditional VPN client Cisco or Juniper (but not also since some also use NAT-T or SSLVPN). Ways to stabilize this including trying to assign a static IP to your client and then doing a port forward on UDP port 500 from the router to this address (stabilizes timeout based closing of the UDP port); on the ActionTec router, try stepping down a level on the "firewall" setting (some firmware versions were overly agressive in blocking certain kinds of "atypical" traffic not running on typical ports); same thing on the client (turn off the firewall temporarily to see if you gain stability); and also check the configuration on your client and see if you have the option to force it to use TCP based connection instead of UDP (Cisco primarily).
For Citrix Access Gateway, that behavior is news to me. I've used a CAG based connection previously and never had this issue. Again, firewall might be something to check on the router or the client, but that's a reach. The Citrix connection depending on how it's configured is nothing more than an SSL/TLS connection on port 443 or potentially some traffic on 1494 and 2568 (but over the internet that should not be the case). Either way it's all TCP, so session state should be an issue on the router. Would be useful if you could describe the behavior a bit better in detail.