Database Info

[Q] Android devices cannot connect to Windows' PPTP VPN service

I own a few Android devices (an Android 2.3 mobile, an Android 4.0.4 tablet, and an Android 4.1.1 tablet). All of them cannot connect to a PPTP VPN server (it's Windows Server 2008 based, using MS CHAP2 for authentication) with MPPE (PPP encryption) option selected in the client side. Even that a device was rooted and VPNroot (the latest version) is used, the connection still fails. From the log of VPNroot, the error log is "MPPE required but peer negotiation failed". However, if the MPPE option is deselected, devices can connect the PPTP VPN server. Besides, the same can be connected from Windows XP & Windows 7 (with MPPE option enabled).
Due to security issue, I have to connect the PPTP VPN service with MPPE. It makes me unhappy as I cannot use a new tablet due to VPN connection problem. What can I do?

daemongmong said:
I own a few Android devices (an Android 2.3 mobile, an Android 4.0.4 tablet, and an Android 4.1.1 tablet). All of them cannot connect to a PPTP VPN server (it's Windows Server 2008 based, using MS CHAP2 for authentication) with MPPE (PPP encryption) option selected in the client side. Even that a device was rooted and VPNroot (the latest version) is used, the connection still fails. From the log of VPNroot, the error log is "MPPE required but peer negotiation failed". However, if the MPPE option is deselected, devices can connect the PPTP VPN server. Besides, the same can be connected from Windows XP & Windows 7 (with MPPE option enabled).
Due to security issue, I have to connect the PPTP VPN service with MPPE. It makes me unhappy as I cannot use a new tablet due to VPN connection problem. What can I do?
Click to expand...
Click to collapse
VPNroot log attached:
Code:
Connecting to xxxxx port 1723 via wlan0
Connection established (socket = 14)
Sending SCCRQ
Received SCCRP -> Sending OCRQ (local = xxxxx)
Tunnel established
Received OCRQ (remote = xxxxx)
Session established
Creating PPPoX socket
Starting pppd (pppox = 15)
Pppd started (pid = xxxxx)
Using PPPoX (socket = 15)
using channel 3
Using interface ppp100
Connect: ppp100 <-->
Received SLI
MPPE required but peer negotiation failed
Discard non-LCP packet when LCP not open
Discard non-LCP packet when LCP not open
Received SLI
Connection terminated
Received signal 17
Pppd is terminated (status = 10)
Mtpd is terminated (status = 42)

Have you tried open vpn? Cheap vpn service ive been using is http://xtreamvpnworld.blogspot.com
Sent from my WT19i using xda premium

USB to Ethernet RD9700 chip

Can anyone help me with getting usb to ethernet working
Tablet is Amaze-731 TF7020 (rk2928sdk) Android 4.1.1
USB to Ethernet is Digitech usb HUB ethernet combo (RD9700 chip)
In settings, I have disabled Wi-FI and Enabled Ethernet, static IP is not set, so i presume
this means it will use dhcp, but it just shows as unconnected with no IP address, and no MAC address.
It is showing as being detected in dmesg (full listing attached).
<6>[ 228.496756] usb 1-1.2: new full speed USB device number 13 using usb20_otg
<6>[ 228.617855] usb 1-1.2: New USB device found, idVendor=0fe6, idProduct=9700
<6>[ 228.617924] usb 1-1.2: New USB device strings: Mfr=0, Product=2, SerialNumber=0
<6>[ 228.617977] usb 1-1.2: Product: USB 2.0 10/100M Ethernet Adaptor
...
<6>[ 228.673309] SR9700_android 1-1.2:1.0: eth0: register 'SR9700_android' at usb-usb20_otg-1.2, SR9700_ANDROID USB Ethernet, 00:e0:4c:53:44:58
...
<7>[ 239.716388] eth0: no IPv6 routers present
netcfg shows...
[email protected]:/ # netcfg
lo UP 127.0.0.1/8 0x00000049 00:00:00:00:00:00
sit0 DOWN 0.0.0.0/0 0x00000080 00:00:00:00:00:00
ip6tnl0 DOWN 0.0.0.0/0 0x00000080 00:00:00:00:00:00
eth0 UP 0.0.0.0/0 0x00001003 00:e0:4c:53:44:58
ifconfig shows...
[email protected]:/ # ifconfig eth0
eth0: Cannot assign requested address
Setting a static IP address, and toggling ethernet off/on makes it display as connected,
But still won't communicate. Tried browser, email, and also
ping from shell on tablet does not work, ping from pc to tablet does not work.
Status tray shows "No Internet connection"
(Toggling off/on must be done manually after reboot. to show as connected in setting -> Ethernet,
The toggle ethernet off/on does not work for dhcp.)
Is there a way to get the ethernet working?
Is there away to get dhcp working?
and not having to toggle off/on after reboot?

Solved:
By moving to an ethernet port directly on my adsl router, usb-ethernet is now working.
Nolonger have to toggle ethernet off/on.
DHCP also working,
Status tray still shows "No Internet Connection!", even tho it is!
rshep1 said:
Can anyone help me with getting usb to ethernet working
Tablet is Amaze-731 TF7020 (rk2928sdk) Android 4.1.1
USB to Ethernet is Digitech usb HUB ethernet combo (RD9700 chip)
In settings, I have disabled Wi-FI and Enabled Ethernet, static IP is not set, so i presume
this means it will use dhcp, but it just shows as unconnected with no IP address, and no MAC address.
It is showing as being detected in dmesg (full listing attached).
<6>[ 228.496756] usb 1-1.2: new full speed USB device number 13 using usb20_otg
<6>[ 228.617855] usb 1-1.2: New USB device found, idVendor=0fe6, idProduct=9700
<6>[ 228.617924] usb 1-1.2: New USB device strings: Mfr=0, Product=2, SerialNumber=0
<6>[ 228.617977] usb 1-1.2: Product: USB 2.0 10/100M Ethernet Adaptor
...
<6>[ 228.673309] SR9700_android 1-1.2:1.0: eth0: register 'SR9700_android' at usb-usb20_otg-1.2, SR9700_ANDROID USB Ethernet, 00:e0:4c:53:44:58
...
<7>[ 239.716388] eth0: no IPv6 routers present
netcfg shows...
[email protected]:/ # netcfg
lo UP 127.0.0.1/8 0x00000049 00:00:00:00:00:00
sit0 DOWN 0.0.0.0/0 0x00000080 00:00:00:00:00:00
ip6tnl0 DOWN 0.0.0.0/0 0x00000080 00:00:00:00:00:00
eth0 UP 0.0.0.0/0 0x00001003 00:e0:4c:53:44:58
ifconfig shows...
[email protected]:/ # ifconfig eth0
eth0: Cannot assign requested address
Setting a static IP address, and toggling ethernet off/on makes it display as connected,
But still won't communicate. Tried browser, email, and also
ping from shell on tablet does not work, ping from pc to tablet does not work.
Status tray shows "No Internet connection"
(Toggling off/on must be done manually after reboot. to show as connected in setting -> Ethernet,
The toggle ethernet off/on does not work for dhcp.)
Is there a way to get the ethernet working?
Is there away to get dhcp working?
and not having to toggle off/on after reboot?
Click to expand...
Click to collapse

[Q] Nexus 5 and Always-on VPN

Hey guys,
I was just wondering if anyone else has had issues with VPNs on their Nexus 5? I should add that every one of these settings works flawlessly on my Nexus 7. So anyway, here's my situation:
L2TP/IPSec PSK
Works fine for a while but will eventually time out, anywhere from a few minutes to over an hour after connecting (yet still remains "connected" according to the phone - have to reboot to fix it).
L2TP/IPSec PSK "Always-on"
I get "connected" yet no data is transmitted, at all. Could this have something to do with it (can't post links - code dot google dot com/p/android/issues/detail?id=61948)?
OpenVPN (same result with various clients)
Connects fine for a while - anywhere from a few minutes to over an hour, just as with L2TP - but eventually times out. Here is part of a recent log file from when it starts to go wrong (looks like it gets an 'inactivity timeout'). The red text is where the problem begins. Note that the same thing happens even when plugged in & with the 'always-on screen' developer setting enabled so my phone isn't going to sleep.
Code:
Running on Nexus 5 (hammerhead) google, Android API 19, version 0.5.46, official build
Building configuration…
started Socket Thread
P:Initializing Google Breakpad!
P:eek:penVPN 2.3.2+dspatch4 android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [SNAPPY] [EPOLL] [MH] [IPv6] built on Sep 12 2013
P:MANAGEMENT: Connected to management server at /data/data/de.blinkt.openvpn/cache/mgmtsocket
P:MANAGEMENT: CMD 'hold release'
P:MANAGEMENT: CMD 'bytecount 2'
P:MANAGEMENT: CMD 'state on'
Network Status: CONNECTED to WIFI "redacted"
P:MANAGEMENT: CMD 'username 'Auth' redacted'
P:MANAGEMENT: CMD 'password [...]'
P:MANAGEMENT: CMD 'proxy NONE'
P:Deprecated TLS cipher name 'DHE-RSA-AES256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
P:Deprecated TLS cipher name 'DHE-DSS-AES256-SHA', please use IANA name 'TLS-DHE-DSS-WITH-AES-256-CBC-SHA'
P:Deprecated TLS cipher name 'AES256-SHA', please use IANA name 'TLS-RSA-WITH-AES-256-CBC-SHA'
P:MANAGEMENT: >STATE:1383797854,RESOLVE,,,
P:Socket Buffers: R=[163840->131072] S=[163840->131072]
P:Protecting socket fd 4
P:MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
P:UDP link local: (not bound)
P:UDP link remote: [AF_INET]173.245.209.2:443
P:MANAGEMENT: >STATE:1383797854,WAIT,,,
P:MANAGEMENT: >STATE:1383797854,AUTH,,,
P:TLS: Initial packet from [AF_INET]173.245.209.2:443, sid=5baec2e6 9c0dfbdd
P:WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
P:VERIFY OK: depth=1, C=US, ST=FL, L=Winter Park, O=IPVanish, OU=IPVanish VPN, CN=IPVanish CA, [email protected]
P:VERIFY X509NAME OK: C=US, ST=FL, L=Winter Park, O=IPVanish, OU=IPVanish VPN, CN=syd-a01.ipvanish.com, [email protected]
P:VERIFY OK: depth=0, C=US, ST=FL, L=Winter Park, O=IPVanish, OU=IPVanish VPN, CN=syd-a01.ipvanish.com, [email protected]
P:Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
P:Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
P:Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
P:Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
P:Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
P:[syd-a01.ipvanish.com] Peer Connection Initiated with [AF_INET]173.245.209.2:443
P:MANAGEMENT: >STATE:1383797857,GET_CONFIG,,,
P:SENT CONTROL [syd-a01.ipvanish.com]: 'PUSH_REQUEST' (status=1)
P:PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 198.18.0.1,dhcp-option DNS 198.18.0.2,rcvbuf 262144,explicit-exit-notify 5,route-gateway 172.20.32.1,topology subnet,ping 20,ping-restart 40,ifconfig 172.20.32.206 255.255.248.0'
P:eek:PTIONS IMPORT: timers and/or timeouts modified
P:eek:PTIONS IMPORT: explicit notify parm(s) modified
P:eek:PTIONS IMPORT: --sndbuf/--rcvbuf options modified
P:Socket Buffers: R=[131072->524288] S=[131072->131072]
P:eek:PTIONS IMPORT: --ifconfig/up options modified
P:eek:PTIONS IMPORT: route options modified
P:eek:PTIONS IMPORT: route-related options modified
P:eek:PTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
P:ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=wlan0 HWADDR=bc:f5:ac:f2:a5:c2
P:ROUTE6: default_gateway=UNDEF
P:eek:penVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
P:eek:penVPN ROUTE: failed to parse/resolve route for host/network: ::/0
P:do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
P:MANAGEMENT: >STATE:1383797858,ASSIGN_IP,,172.20.32.206,
P:MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
P:MANAGEMENT: CMD 'needok 'ROUTE' ok'
P:MANAGEMENT: CMD 'needok 'ROUTE' ok'
P:MANAGEMENT: CMD 'needok 'ROUTE' ok'
P:MANAGEMENT: >STATE:1383797858,ADD_ROUTES,,,
P:MANAGEMENT: CMD 'needok 'ROUTE' ok'
P:MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
P:MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
Opening tun interface:
Local IPv4: 172.20.32.206/21 IPv6: null MTU: 1500
DNS Server: 198.18.0.1, 198.18.0.2, Domain: null
Routes: 173.245.209.2/32, 0.0.0.0/1, 128.0.0.0/1, 0.0.0.0/0
Routes IPv6:
P:MANAGEMENT: CMD 'needok 'OPENTUN' ok'
P:Initialization Sequence Completed
P:MANAGEMENT: >STATE:1383797859,CONNECTED,SUCCESS,172.20.32.206,173.245.209.2
[COLOR="Red"]P:[syd-a01.ipvanish.com] Inactivity timeout (--ping-restart), restarting[/COLOR]
P:SIGUSR1[soft,ping-restart] received, process restarting
P:MANAGEMENT: >STATE:1383799065,RECONNECTING,ping-restart,,
P:MANAGEMENT: CMD 'hold release'
P:MANAGEMENT: CMD 'bytecount 2'
P:MANAGEMENT: CMD 'state on'
P:MANAGEMENT: CMD 'proxy NONE'
P:Deprecated TLS cipher name 'DHE-RSA-AES256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
P:Deprecated TLS cipher name 'DHE-DSS-AES256-SHA', please use IANA name 'TLS-DHE-DSS-WITH-AES-256-CBC-SHA'
P:Deprecated TLS cipher name 'AES256-SHA', please use IANA name 'TLS-RSA-WITH-AES-256-CBC-SHA'
P:TCP/UDP: Preserving recently used remote address: [AF_INET]173.245.209.2:443
P:Socket Buffers: R=[163840->524288] S=[163840->131072]
P:Protecting socket fd 4
P:MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
P:UDP link local: (not bound)
P:UDP link remote: [AF_INET]173.245.209.2:443
P:MANAGEMENT: >STATE:1383799081,WAIT,,,
P:[UNDEF] Inactivity timeout (--ping-restart), restarting
P:SIGUSR1[soft,ping-restart] received, process restarting
P:MANAGEMENT: >STATE:1383799152,RECONNECTING,ping-restart,,
P:MANAGEMENT: CMD 'hold release'
P:MANAGEMENT: CMD 'bytecount 2'
P:MANAGEMENT: CMD 'state on'
P:MANAGEMENT: CMD 'proxy NONE'
P:Deprecated TLS cipher name 'DHE-RSA-AES256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
P:Deprecated TLS cipher name 'DHE-DSS-AES256-SHA', please use IANA name 'TLS-DHE-DSS-WITH-AES-256-CBC-SHA'
P:Deprecated TLS cipher name 'AES256-SHA', please use IANA name 'TLS-RSA-WITH-AES-256-CBC-SHA'
P:TCP/UDP: Preserving recently used remote address: [AF_INET]173.245.209.2:443
P:Socket Buffers: R=[163840->524288] S=[163840->131072]
P:Protecting socket fd 4
P:MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
P:UDP link local: (not bound)
P:UDP link remote: [AF_INET]173.245.209.2:443
P:MANAGEMENT: >STATE:1383799153,WAIT,,,
P:[UNDEF] Inactivity timeout (--ping-restart), restarting
P:SIGUSR1[soft,ping-restart] received, process restarting
P:MANAGEMENT: >STATE:1383799213,RECONNECTING,ping-restart,,
P:MANAGEMENT: CMD 'hold release'
P:MANAGEMENT: CMD 'bytecount 2'
P:MANAGEMENT: CMD 'state on'
P:MANAGEMENT: CMD 'proxy NONE'
P:Deprecated TLS cipher name 'DHE-RSA-AES256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
P:Deprecated TLS cipher name 'DHE-DSS-AES256-SHA', please use IANA name 'TLS-DHE-DSS-WITH-AES-256-CBC-SHA'
P:Deprecated TLS cipher name 'AES256-SHA', please use IANA name 'TLS-RSA-WITH-AES-256-CBC-SHA'
P:TCP/UDP: Preserving recently used remote address: [AF_INET]173.245.209.2:443
P:Socket Buffers: R=[163840->524288] S=[163840->131072]
P:Protecting socket fd 4
P:MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
P:UDP link local: (not bound)
P:UDP link remote: [AF_INET]173.245.209.2:443
P:MANAGEMENT: >STATE:1383799214,WAIT,,,
P:MANAGEMENT: >STATE:1383799230,AUTH,,,
P:TLS: Initial packet from [AF_INET]173.245.209.2:443, sid=a3743100 cabdef57
P:VERIFY OK: depth=1, C=US, ST=FL, L=Winter Park, O=IPVanish, OU=IPVanish VPN, CN=IPVanish CA, [email protected]
P:VERIFY X509NAME OK: C=US, ST=FL, L=Winter Park, O=IPVanish, OU=IPVanish VPN, CN=syd-a01.ipvanish.com, [email protected]
P:VERIFY OK: depth=0, C=US, ST=FL, L=Winter Park, O=IPVanish, OU=IPVanish VPN, CN=syd-a01.ipvanish.com, [email protected]
P:Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
P:Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
P:Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
P:Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
P:Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
P:[syd-a01.ipvanish.com] Peer Connection Initiated with [AF_INET]173.245.209.2:443
P:MANAGEMENT: >STATE:1383799243,GET_CONFIG,,,
P:SENT CONTROL [syd-a01.ipvanish.com]: 'PUSH_REQUEST' (status=1)
P:PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 198.18.0.1,dhcp-option DNS 198.18.0.2,rcvbuf 262144,explicit-exit-notify 5,route-gateway 172.20.32.1,topology subnet,ping 20,ping-restart 40,ifconfig 172.20.32.206 255.255.248.0'
P:eek:PTIONS IMPORT: timers and/or timeouts modified
P:eek:PTIONS IMPORT: explicit notify parm(s) modified
P:eek:PTIONS IMPORT: --sndbuf/--rcvbuf options modified
P:Socket Buffers: R=[524288->524288] S=[131072->131072]
P:eek:PTIONS IMPORT: --ifconfig/up options modified
P:eek:PTIONS IMPORT: route options modified
P:eek:PTIONS IMPORT: route-related options modified
P:eek:PTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
P:ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=wlan0 HWADDR=bc:f5:ac:f2:a5:c2
P:ROUTE6: default_gateway=UNDEF
P:eek:penVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
P:eek:penVPN ROUTE: failed to parse/resolve route for host/network: ::/0
P:do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
P:MANAGEMENT: >STATE:1383799244,ASSIGN_IP,,172.20.32.206,
P:MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
P:MANAGEMENT: CMD 'needok 'ROUTE' ok'
P:MANAGEMENT: CMD 'needok 'ROUTE' ok'
P:MANAGEMENT: CMD 'needok 'ROUTE' ok'
P:MANAGEMENT: >STATE:1383799244,ADD_ROUTES,,,
P:MANAGEMENT: CMD 'needok 'ROUTE' ok'
P:MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
P:MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
Opening tun interface:
Local IPv4: 172.20.32.206/21 IPv6: null MTU: 1500
DNS Server: 198.18.0.1, 198.18.0.2, Domain: null
Routes: 173.245.209.2/32, 0.0.0.0/1, 128.0.0.0/1, 0.0.0.0/0
Routes IPv6:
Failed to open the tun interface
Error: command '86 interface fwmark uid add tun1 0 99999' failed with '400 86 Failed to add uid rule (Invalid argument)'
On some custom ICS images the permission on /dev/tun might be wrong, or the tun module might be missing completely. For CM9 images try the fix ownership option under general settings
P:MANAGEMENT: CMD 'needok 'OPENTUN' cancel'
P:MANAGEMENT: Client disconnected
P:ERROR: Cannot open TUN
P:Exiting due to fatal error
P:Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only.
P:Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only.
P:Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only.
P:Closing TUN/TAP interface
MGMT:Got unrecognized command>FATAL:ERROR: Cannot open TUN
Process exited with exit value 1
Any help would be greatly appreciated. Cheers.

Not sure exactly what you are looking for. But here is my thought.
1. It's quite impractical to do an always on VPN for mobile device because aa you move around, you switch from tower to tower and you IP address change, or at least the route established from one tower need to change. So, it would be more like redialing VPN every time you switch tower.
2. if you meant the VPN get time out, you could just go on the terminal amd do a continuous ping to an address on the VPN network.

someone0 said:
Not sure exactly what you are looking for. But here is my thought.
1. It's quite impractical to do an always on VPN for mobile device because aa you move around, you switch from tower to tower and you IP address change, or at least the route established from one tower need to change. So, it would be more like redialing VPN every time you switch tower.
Click to expand...
Click to collapse
That's true; I was just hoping for a VPN connection that would not time out while on the same WiFi connection. Seems to work fine on my older Android devices, just not the Nexus 5 which cannot hold a persistent connection.
someone0 said:
2. if you meant the VPN get time out, you could just go on the terminal amd do a continuous ping to an address on the VPN network.
Click to expand...
Click to collapse
Thanks but I just don't see why this should be necessary. It should work 'out of the box'. Also even if that did work that still wouldn't fix the "Always-on" feature of the phone that never allows a data connection to begin with even when connected, a feature that works on my other (non-4.4) Android devices. support[dot]google[dot]com/nexus/answer/2819573

Looks like it's certainly an issue for others too. I'm just surprised it's not more prevalent; I guess not many people use a VPN on their phone?
Due to a bug in Android 4.4 (KitKat) reported to Google under Issue #61948, AnyConnect users will experience High Packet Loss over their VPN connection (users will experience timeouts when attempting to access certain network resources). In the ASA logs, a syslog message will appear with text similar to "Transmitting large packet 1420 (threshold 1405)."
This has been reported to Google under Issue #61948
Android 4.4 TCP advertises incorrect MSS over VPN (using VpnService)
https://code.google.com/p/android/issues/detail?id=61948
End users may log in with their Google ID and flag the importance of the request as well as enter comments at the link above.
Conditions:
Android 4.4 (KitKat) including the Google Nexus 5
AnyConnect ICS+
Workaround:
Until Google produces a fix for Android 4.4, VPN administrators may temporarily reduce the maximum segment size for TCP connections on the ASA with the configuration command "sysopt connection tcpmss <mss size>". The default for this parameter is 1380 bytes. Reduce this value by the difference between the values seen in the ASA logs. In the above example, the difference is 15 bytes; the value should thus be no more than 1365. Reducing this value will negatively impact performance for connected VPN users where large packets are transmitted.
Click to expand...
Click to collapse
supportforums.cisco.com/thread/2250185

Thank you posting this, I thought I was the only one with this problem judging from Google results.
This really sucks, it breaks openvpn completely. How did Google screw up this bad? I hope they fix it soon.

SHAWDAH said:
Thank you posting this, I thought I was the only one with this problem judging from Google results.
This really sucks, it breaks openvpn completely. How did Google screw up this bad? I hope they fix it soon.
Click to expand...
Click to collapse
Encountered the same issue on Omni's 4.4 build on Nexus 4, hopefully, they will fix that soon enough, as this is a major issue for corporate work.

I usually avoid using proprietary VPN anyway. I'm still trying to get OpenVPN working back up again in my house, but it was always a mess getting OVPN to work with many mobile devices due to tunnel drivers. Atleast I still have L2TP and it always work solidly.

someone0 said:
I usually avoid using proprietary VPN anyway. I'm still trying to get OpenVPN working back up again in my house, but it was always a mess getting OVPN to work with many mobile devices due to tunnel drivers. Atleast I still have L2TP and it always work solidly.
Click to expand...
Click to collapse
What do you mean proprietary VPN? The official OpenVPN android client is proprietary (which is a joke) but OpenVPN for Android is open source.

I was referring to the AnyConnect which is Cisco proprietary VPN. But as far as OpenVPN on Android goes, it is kinda hit and miss. But I know I can always count on L2TP which is build into just almost all Android and iOS. I would still build OpenVPN as you can just route it through any port you want, including TCP port 80 and 443. Which I don't think any wifi hotspot will block those two ports.

bruceau said:
Looks like it's certainly an issue for others too. I'm just surprised it's not more prevalent; I guess not many people use a VPN on their phone?
Click to expand...
Click to collapse
I use VPN all time on my Android phone.I sold all of my Nexus devices so i think im safe for now.

I know this thread's been inactive for a few months now but I'm still having this problem. Manually connecting my VPN through the android settings wLvorks but does eventually drop connections sometimes.
I know of the issues on the AOSP tracker and have them starred.
A comment on one of the issues lists what claims to be working iptables that fix the bug with the VPN.
https://code.google.com/p/android/issues/detail?id=63450#c4
Code:
Chain fw_FORWARD (1 references) target prot opt source destination Chain fw_INPUT (1 references) target prot opt source destination Chain fw_OUTPUT (1 references) target prot opt source destination ============================================================================================================ Always-on VPN iptables: Chain fw_FORWARD (1 references) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain fw_INPUT (1 references) target prot opt source destination RETURN all -- anywhere 192.168.2.11 RETURN all -- anywhere anywhere RETURN udp -- VPN-SERVERS anywhere udp spt:l2f RETURN tcp -- VPN-SERVERS anywhere tcp spt:l2f RETURN udp -- VPN-SERVERS anywhere udp spt:4500 RETURN tcp -- VPN-SERVERS anywhere tcp spt:4500 RETURN udp -- VPN-SERVERS anywhere udp spt:isakmp RETURN tcp -- VPN-SERVERS anywhere tcp spt:isakmp RETURN all -- anywhere anywhere DROP all -- anywhere anywhere Chain fw_OUTPUT (1 references) target prot opt source destination RETURN all -- 192.168.2.11 anywhere RETURN all -- anywhere anywhere RETURN udp -- anywhere VPN-SERVERS udp dpt:l2f RETURN tcp -- anywhere VPN-SERVERS tcp dpt:l2f RETURN udp -- anywhere VPN-SERVERS udp dpt:4500 RETURN tcp -- anywhere VPN-SERVERS tcp dpt:4500 RETURN udp -- anywhere VPN-SERVERS udp dpt:isakmp RETURN tcp -- anywhere VPN-SERVERS tcp dpt:isakmp RETURN all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
I pasted the iptables and they're also at the link but I don't know how to apply them since I don't know the syntax.

VPN Root connects every time, and stays connected.

PhilipTD said:
VPN Root connects every time, and stays connected.
Click to expand...
Click to collapse
Except my connection uses L2TP and there's no apps for that.
Sent from my Nexus 5 using Tapatalk

Hopefully will be fixed on 4.4.3...

The guys at Google are surely taking their time to roll out this fix...
Why couldn't they simply re-issue a patch based on the working code from 4.3?

Right? What the heck....It just baffles me.
eKeith said:
The guys at Google are surely taking their time to roll out this fix...
Why couldn't they simply re-issue a patch based on the working code from 4.3?
Click to expand...
Click to collapse

Problem with Reverse Tethering on Nexus 7 Tablet Running Marshmallow (6.01)

I'm trying to get an Ethernet TCP/IP connection between a Windows 7 PC and a Nexus 7 tablet running Android 6.01 (Marshmallow) using a "regular" USB cable (i.e., NOT using a USB to RJ45 dongle). The documentation I've found refers to this as "Reverse Tethering".
My problem is: I can't get the tablet to configure an RNDIS network device on the USB port. The following are notes on what I've tried and what I've seen:
On the Tablet:
* I enabled developer mode on the tablet. From the developer options, I enabled USB DEBUGGING, set the USB configuration to RNDIS (USB Ethernet), and plugged the other end of the cable into the PC.
* I'm a little concerned that in the Settings->Wireless & networks->more menu, there isn't a "tethering & portable hotspot" option on the tablet. I believe this option only applies to tethering of the WiFi network, so I don't think it's an issue.
* On the tablet, I entered the command sequence:
setprop sys.usb.config 'rndis'
ip rule add from all lookup main
ip addr flush dev rndis0
The last command fails because there isn't a rndis0 device. Further, the first two commands have no impact on the devices listed with ifconfig (i.e., rndis device still missing)
On the Windows 7 PC:
* When the tablet is plugged in, the Network Adapter "Remote NDIS based Internet Sharing Device" appears in the Device Manager->Network adapters list.
* I configured the "Remote NDIS based Internet Sharing Device" with a static IP address and Subnet mask.
* The Local Area Connection associated with the RNDIS device shows a status of "Network cable unplugged" in the Network and Sharing Center.
Again, none of the steps described above have resulted in an RNDIS interface (or any change at all) in the list provided by ifconfig on the tablet.
Any ideas or suggestions would greatly appreciated.
Thanks

Android 11 'couldn't connect to network' NPS with PEAP/MS-CHAPv2

Hi All,
I am trying to connect company-owned / unmanaged Android 11 devices to a Cisco WAP SSID using our public certificate wireless.fqdn
For my Galaxy A20 Android 11 phone , when connecting the SSID the phone returns:
'couldn't connect to network'
'couldn't authenticate connection'
On the NPS Server, the wireless.fqdn certificate is installed in the Certificates (Local Computer) Personal / Certificates container
We are using Windows NPS/PEAP/MS-CHAPv2 which I believe requires a certificate on the server-side only
I belive PEAP encapsulates the EAP type MS-CHAPv2 authentication in a secure TLS tunnel.
As a further configuration item, I installed the wwireless.fqdn certificate into the cert store on my Android device (User certificates, installed for WiFi)
NPS / RADIUS Server is Windows Server 2016 Datacenter
NPS Role installed with the following Windows NPS Policy
Connection Request Policy:
Wireless connections, NAS Port Type: wireless - other or wireless IEEE 802.11
Network Policy: Staff
CONDITIONS:
Wireless - Other OR Wireless IEEE 802.11
Windows Groups: ADDSGroup
Calling Station ID: ^[^:]+:SSID$
CONSTRAINTS:
EAP TypesMicrosoft: Protected EAP (PEAP)
Edit / certificate issued to: wireless.fqdn
Issuer: DigiCert TLS RSA SHA256 2020 CA1
Enable Fast Reconnect
EAP Type:
Seure password (EAP-MSCHAP v2)
Android 11:
I got into settings / biometrics and security
Other security settings
PFX user certificates: wireless.fqdn installed for WiFi (contains root/intermediate/cert chain)
View security certificates / system / CA root
No user certificates
Click the WiFI SSID / manage
EAP method: PEAP
Enter identity / password
CA certificate: Use system certificates (if I choose 'select certificate' there is nothing to select, android stated in a red color "CA certificate must be selected")
Online certificate status: don't validate
Domain: wireless.fqdn
When connecting to the SSID the phone returns:
'couldn't connect to network'
'couldn't authenticate connection'
MAC of Android phone not in NPS logs
Hope someone with more experience can assist.
Thanks!