What's new

Issue with Pulse Secure VPN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

cpetricko

New Around Here
My company uses Pulse Secure VPN. Per the support team for the VPN software/appliance, there is an issue with ASUS routers working with Windows 10. I'm pasting their description of the issue below.

Do you have any thoughts around a possible fix for this issue? I prefer not having to move away from ASUS.

Thanks in advance.

Start Company Note > Some models of consumer routers do not correctly respond when Windows 10 sends a Dynamic Host Configuration Protocol (DHCP) request. These requests ask for common items such as the IP Address to use, the DNS servers to use etc. Windows 10 also asks for Web Proxy Auto Discovery (WPAD) information as well. Routers that are not configured to send WPAD information are supposed to ignore the request and not return any information for WPAD. However, some routers return a Line Feed character for the WPAD information instead of ignoring the request. This causes Internet Explorer to be unable to find the corporate proxy servers when you make a VPN connection to the company. What the user sees is that they make a VPN connection and then cannot get to any sites on the Internet (such as WebEx, SalesForce, etc.) while internal sites continue to work fine. If they drop the VPN connection then Internet sites work just fine.

Most, if not all, of the routers that have this problem are from Asus. We’ve seen at least the following models – even when running firmware as recent as 7-July-2017:

• • Asus RT-N66R

• • Asus RT-AC68U

• • Asus RS-N12

• • Asus RT-AC3200


Permanent fixes

The most supportable and permanent fix is to replace the router with a new one from a vendor whose firmware correctly handles DHCP requests from Windows 10 machines. We do not make recommendations for home / consumer routers, but most all other brands are fine including those from Netgear, Linksys, Orbi, Eero, Google WiFi and many more. There are many great choices out there that will meet most anyone’s needs from new whole house mesh systems to classic single router setups.

It is also possible that, at some point, ASUS may update their firmware. At the time of this writing, in August of 2017, it does not look like this is going to happen though. If ASUS does fix this in a newer firmware then upgrading to that firmware would also be a permanent fix.
 
When running Merlin, make a
/jffs/scripts/dnsmasq.postconf
with the following content, then reboot the router (make sure the file is in Linux format and marked executable)
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_delete "dhcp-option=252,\"\n\"" $CONFIG

This was added to prevent the Windows Event Log from being filled with WPAD errors when a proxy isn't being used on some windows versions.
 
@RMerlin
It looks like Microsoft made an update along the way that stops the event log spam without this option (pretty sure I used to see it on my Win7 system). Maybe time to remove it from the config?
 
@RMerlin
It looks like Microsoft made an update along the way that stops the event log spam without this option (pretty sure I used to see it on my Win7 system). Maybe time to remove it from the config?

Would still be problematic for all the people clinging to Windows 7 (which is still a fairly large number of people).
 
Would still be problematic for all the people clinging to Windows 7 (which is still a fairly large number of people).
That was my point (sorry if I wasn't clear).....I no longer see the event log spam on Win 7 with the option removed.
 
That was my point (sorry if I wasn't clear).....I no longer see the event log spam on Win 7 with the option removed.

Sorry, I thought you meant it was fixed with a recent Windows 10 release. Certainly worth re-investigating then, thanks.
 
Sorry, I thought you meant it was fixed with a recent Windows 10 release. Certainly worth re-investigating then, thanks.

I'll remove it, but add an nvram value to allow people to re-enable it if necessary.
 
I went with dhcpd_filter_wpad, with a default value of 0. Setting it to 1 will have dnsmasq insert the dhcp option it currently adds.

I probably won't put the setting on the webui however, it's there only as a safeguard in case things change in the future.
 
@RMerlin
Sounds good. Now if the OP would let us know if this fixed his problem :)

@cpetricko
Are you there?

I'd like to try this as well. Can someone give me a little help on how to do this? I'm on the router with SSH and the JFFS partition is enabled. Not sure how do make/get the new .conf file on there. Thank you all!
 
@RMerlin & @john9527 Sorry. Been out of pocket for a bit and have not had any time to get on the forum. Testing beta firmware now. Thank you. Will post later today on findings.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top