Palo Alto Networks Knowledgebase: GlobalProtect VPN with iOS 10.2 and T-Mobile LTE Network

GlobalProtect VPN with iOS 10.2 and T-Mobile LTE Network

2803
Created On 08/05/19 19:23 PM - Last Updated 08/05/19 19:48 PM
Resolution

This article documents reported issues with GlobalProtect VPN with iOS 10.2 and T-Mobile LTE network.

 

Symptom

It has been reported, in some markets (Asia and India), T-Mobile and other carriers are no longer issuing IPv4 addresses on their LTE network for iPhones running iOS 10.2 and Carrier Profile 27.1.

 

This caused GlobalProtect VPN on our iOS 10.2 phones with T-Mobile LTE to stop working. 

 

Details

Summary of the testing - See attached screenshots:

  • Platforms: Two iOS 10.2 iPhones - one on T-Mobile LTE and one on AT&T LTE
  • Tools used: Hurricane Electric's Network Tools App -> Interface data.
  • T-Mobile LTE: No IPv4 addresses. IPv6 addresses only.
  • AT&T's LTE: Both IPv4 and IPv6 addresses.
  • GlobalProtect 2.X.X and 3.X.X do not support IPv6. (Current iOS version is 3.0.2.) 

Notes

  • Impact is confined to T-Mobile LTE only at this time.
    • Verizon. AT&T, Sprint, etc. do not have this issue.
  • Based on how its working today, an educated guess says T-Mobile has an IPv6->IPv4 translation gateway where they connect the LTE network to the Internet. 

 

Workaround

  • For T-Mobile LTE customers, use Wifi for VPN.

 

Resolution

IPv6 is not supported in GlobalProtect App as of today, but will be supported in a future release. Please contact your Palo Alto Networks representative for timelines and more details.

 

For more help

Please talk to your Palo Alto Networks Account Rep and open a support case with Palo Alto Networks about the issue if you are being impacted. For reference, use case is #00598890. 

 

Information from devices showing no routable IPv4 addresses:

AT-T.PNGt-mobile.PNG

 

 

Extra Detail

This is a widely documented problem with  mobile carriers in Asia and most mobile carriers in India.

Most of the major websites that users visit are IPv6 capable, this isn't that large of an issue for daily browsing, but most carriers will use a NAT64 gateway so that you can still reach IPv4 only services. This can be an issue on GlobalProtect and most other VPN solutions unless they actually support IPv6. 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpYCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language