NetMotion Mobility v10.50 Known and Resolved Issues
Last updated: January 30, 2015
The numbers in square brackets are internal issue numbers. Issues are grouped by product area and listed in descending order by issue number. Note: NetMotion Wireless has changed its issue numbering scheme; newer issues are prefixed with MOB.
About the v10 Mobility Server
About Upgrading a Mobility Server
When you upgrade Mobility, the settings that you have configured in the earlier release are used in the new installation. But sometimes NetMotion Wireless will change settings and you need to be aware of the consequences. See Things to Consider Before You Upgrade a Mobility Server in the Mobility server help or System Administrator Guide (sysadmin.pdf) for details about these topics:
License Requirements During an Upgrade
FIPS Considerations During an Upgrade
Configuring EAP-GTC Authentication: Upgrade Considerations
Use a Network Interface Card with a Single IP Address
Dynamic DNS Considerations During an Upgrade
Upgrading a Mobility Server with Multiple Network Interfaces
Windows Server 2003 Support Ended
As of version 10.0, Mobility is not supported on Windows Server 2003 R2. Version 9.5x is the last Mobility release that supports that platform. For a table showing what versions of Mobility are supported on which operating systems, see the NetMotion Wireless web site: http://www.netmotionwireless.com/support/operating_system_requirements.aspx.
About Upgrading the Mobility Warehouse
Versions 10 and later of the Mobility server work only with version 7.0 and later of the Mobility warehouse.
If you are upgrading to Mobility v10, your starting point must be Mobility servers running v9.2x or later, and version 7.0 of the Mobility warehouse.
If you already have version 7.0 of the warehouse from a previous release, you can choose to upgrade the warehouse to v11 (recommended), or keep your current version.
See Upgrading the Mobility Warehouse in the Mobility server help or System Administrator Guide (sysadmin.pdf) for details.
As of Mobility v9.50 the Analytics Module is a single component. For users who are upgrading and want to use the data they have collected, there are procedures and a utility (the Analytics Module Data Exporter) to migrate data from all supported configurations. Before installing version 10.51, look through the upgrade scenarios in Upgrading the Analytics Module in the Mobility server help or System Administrator Guide (sysadmin.pdf) and follow the instructions for the one that fits your deployment.
Specifying an Internal Interface
If you have more than one network adapter on the computer that will host your Mobility server, you must specify (during Setup) the name of the network adapter that is to be used as the internal interface. To make sure that Mobility-related traffic is properly routed, refer to Configuring Network Interfaces and Routing for information about what you need to configure and take into account.
Mobility XE client disconnected with reason 141 when running IE 11.0 [MOB-4937]
If you are running a Mobility XE client and using Internet Explorer 11, you may see disconnect error 141 (Proxied network connection limit exceeded.) To work around this issue you have two options:
- Upgrade to a Mobility client with a technology type of XG.
- In IE 11, go Tools > Internet options > Advanced tab > Browsing, and then disable Load sites and content in the background to optimize performance.
iOS: OpenSSL vulnerability CVE-2014-0224 [MOB-4907]
The OpenSSL CVE-2014-0224 advisory (released June 5, 2014) describes six vulnerabilities that could allow an attacker to decrypt intercepted traffic. The v10.50 Mobility client for iOS (and v10.11 and earlier Mobility clients running on Windows and Android) are only affected by CVE-2014-0224 when configured to use RADIUS authentication with a vulnerable RADIUS server. In addition the attacker must have control of a router on the path between the Mobility server and a Mobility client and be able to force all Mobility traffic through it.
If your deployment is configured to use NTLMv2, LEAP, or RSA SecurID authentication you can disregard the advisory. For full details about this issue, see www.netmotionwireless.com/support-advisories.aspx.
iOS: A FaceTime connection may be lost when you roam between WiFi and cellular networks [MOB-4866]
You can maintain a FaceTime connection with the Mobility client for iOS, but the connection is sometimes lost if you roam between networks (from WiFi to cellular or cellular to WiFi).
iOS: Status message not shown [MOB-4366]
If the Mobility client for iOS is in the background when it gets disconnected (for example, because the re-authentication prompt timed out), you will not see an explanation for the disconnect on the Mobility Connection page. If the app is visible when the disconnect occurs, the status message is displayed.
Android: Interface proxy settings are ignored when connected with Mobility [MOB-4190]
In the Android operating system you can modify the proxy settings for WiFi connectivity, but these settings are ignored when the device is connected over the Mobility VPN tunnel (without a VPN installed the proxy works as expected). This is due to Google issue 33935.
Android: KitKat - Application connections do not persist when roaming between networks [MOB-3275]
In version 4.4 of the Android operating system (KitKat), Google made a change that was problematic for many VPN vendors, including NetMotion Wireless. The result for the Mobility client is that application persistence breaks.
Android: Enabling "Connect on startup" has no effect on certain HTC Android devices [MOB-3208]When Connect on startup is selected the Mobility client attempts to connect to a Mobility server at the same time as the Android device starts. On an HTC One S device, enabling this setting has no effect: the Mobility VPN must be manually turned on.
Android: When credentials are cleared certificate logon is unavailable [MOB-3120]If you clear your Mobility authentication credentials, the prompt for logging on using certificates is unavailable (dimmed). Navigate away from the prompt; you can then return to it and complete your logon.
Android: A user certificate on Motorola RAZR phone is inaccessible when connected via a USB cable [MOB-3012]When a Motorola RAZR phone running Android 4.1.2 is connected to a computer via a USB cable, an installed user certificate for RADIUS authentication is not accessible. When the device is connected via USB, its sdcard is inaccessible, which means that certificates are not accessible. To work around this issue, make sure the device is not tethered, make sure it is not connected to a computer via a USB cable, and then try again.
Android: Restricted profiles and multiple users [MOB-2914]
When an Android device has a restricted profile or is configured to support multiple users, the Mobility client for Android can only be started by the primary user. It cannot be started by other users.
Android: Force stop sometimes necessary if Mobility prompt is ignored [MOB-2887]
When you first start the Mobility client on Android you are asked by the Android operating system whether you trust the VPN app. On some devices, if you ignore this prompt and attend to other apps, Mobility will display Connecting... Waiting for Mobility Adapter; once the mobile VPN is off, it cannot be toggled on again. At this point you may need to force quit Mobility: go to Settings > Application Manager, and then select Mobility in the list and tap Force stop.
Android Motorola RAZR: Unable to generate diagnostic report when device is connected using USB [MOB-2872]
If you see an error on your Motorola RAZR device when you try to generate a diagnostic report, make sure the device is not tethered, make sure it is not connected to a computer via a USB cable, and then try again.
Memory leaks with Cisco Jabber v9.1.3 and v9.2.1 [MOB-2554]
When running the Mobility client with Cisco Jabber v9.1.3 or v9.2.1, you may see a memory leak (to see if an inordinate amount of memory is being used, open Task Manager, click on the Performance tab, and then look at the Physical Memory Usage History). The work around for this issue is to stop Jabber and restart it (you will not lose your existing conversations).
When upgrading from RSA SecurID Software Token version 4.1.0 to 4.1.1 [MOB-2417]
If you upgrade from RSA Soft Token 4.1.0 to 4.1.1 on a computer running the Mobility client on Windows, Setup indicates that NetMotion Tray Icon (the Mobility client system tray icon) is running. As a workaround, select the Do not close applications. (A reboot will be required.) option. After you reboot, the upgrade will be complete.
Android 4.0.x: On an HTC EVO 4G LTE device the behavior of Restart and Off are different [MOB-2292]
If the administrator allows it, Android users can configure the Mobility client so that it does not immediately attempt to connect to a Mobility server at startup. If this is how your Android HTC EVO 4G LTE device is configured, here is what happens when you turn it off and then on again:
- If you use Restart, the device behaves as expected: Mobility does not start automatically.
- If you use Off, the saved state of the device (connected) is resumed. The notifications area indicates that the Mobility client is running, but if you check the running app list in Settings, Mobility is not there.
On an HTC EVO 4G LTE device, use Restart instead of Off.
Configuring the Mobility client to work with Norton Internet Security Suite 2011 firewall [MOB-1219]
If you install Norton Internet Security Suite 2011 and then install the Mobility client on a computer running Windows XP, the client will be unable to connect to the Mobility server unless you either disable the Norton firewall or configure it to allow Mobility connections. If you install the Mobility client first, and then install the Norton firewall, these workarounds are unnecessary.
If a NIC is renamed, the new interface name must be selected in the Mobility Management Tool [MOB-6125]
If you change the name of the network adapter on the computer hosting a Mobility server, you must open the Mobility Management Tool and select the correct internal interface on the Mobility Server tab (even though there is only one interface displayed). If you do not perform this step your Mobility deployment will continue to function, but only until the server is rebooted. If the server is rebooted and the correct interface has not been selected, Mobility clients will be able to connect, but will have invalid virtual addresses.
Apply hotfix for RSA Authentication Agent version 7.2.0 or 7.2.1 [MOB-5031]
In order to authenticate Mobility users with RSA SecurID you must install the RSA Authentication Agent on the Mobility server. If you are running the Mobility server on Windows Server 2012, and your RSA agent is version 7.2.0 or 7.2.1, make sure that you apply the RSA hotfix appropriate for your agent.
Client authentication on NPS fails after Windows Server 2012 R2 update [MOB-4396]
If you are using Microsoft Network Policy Server (NPS) and you apply the KB2919355 Microsoft update for Windows Server 2012 R2, clients are no longer able to connect using EAP-TLS or PEAP-TLS. On the NPS server you will see the following error: Error code 262 - The supplied message is incomplete. The signature was not verified.
"Could not install service" error during upgrade [MOB-3250]
On rare occasions upgrading the Mobility server results in the error message "Could not install service". If you see this error, follow these steps to complete the upgrade:
- Dismiss the "Could not install service" dialog.
- Reboot the computer hosting the Mobility server.
- Run Mobility Setup again and select the Repair option.
The Mobility server upgrade finishes and will need to be brought online.
Uninstall Mobility server before upgrading a Windows Server 2012 operating system [MOB-3186]
Before upgrading the Windows Server 2012 operating system to Windows Server 2012 R2 on a computer hosting the Mobility server, you must first uninstall Mobility. Follow these steps:
- Make a note of any settings that apply exclusively to the Mobility server being hosted on the computer you plan to upgrade.
- Uninstall the Mobility server.
- Upgrade the operating system from Windows Server 2012 to Windows Server 2012 R2.
- Re-install the Mobility server and make any of the changes you noted in step 1.
Warning banner when upgrading from Mobility v9.2x to Mobility v10 [MOB-2911]
When you upgrade a single server in a pool to Mobility v10, and then log on to the Mobility console for that server, you will see a pink banner indicating that the internal interface is disabled or misconfigured for the other servers in your pool. This is normal: the Mobility servers running v9.2x (which you have not upgraded to v10 yet) do not support an internal interface. Once all of the servers in the pool are upgraded to v10 the banner disappears.
An installation path that includes diacritical characters is not supported [MOB-525]
During Setup for a Mobility component, do not specify an installation path that includes diacritical characters. The following path, for example, is not supported: c:\Réseau privé virtuel\Mobility.
Migrating data from v9.2x to v10: some extended characters are not supported [MOB-1047]
Analytics data collected in previous versions of Mobility can be exported and preserved using the Analytics Module Data Export Utility. Cyrillic characters, however, are not exported correctly: after data migration they appear in the database as question marks. Once the Analytics Module is upgraded, new data that includes these characters is supported and they are displayed correctly.
TcpTransport event log errors when adding an Analytics Module [MOB-782]
If you add an Analytics Module to a pool of Mobility servers, you may see errors in the event log that look like this: Error <time stamp> Reporting TcpTransport - Reason: java.lang.InterruptedException
It is safe to ignore these errors.
NAC - AVG Internet Security Business Edition 2012 on Windows XP [MOB-1785]
To enable a Mobility client to connect to a Mobility server from an external network, you must configure your firewalls and routers to allow traffic to and from UDP port 5008 for all of the Mobility server's external addresses. With AVG Internet Security Business Edition 2012 installed on Windows XP, the Mobility client is unable to connect to the Mobility server because the AVG firewall switches into domain network mode just after connecting, and it then begins blocking outbound UDP packets. The workaround is to add a rule to the AVG configuration to allow UDP/5008 traffic.
NAC - A Trend Micro OfficeScan check fails at startup [MOB-886]
If an antivirus NAC rule for a Mobility client with Trend Micro OfficeScan fails a check during startup, but later (once the user arrived at the desktop) the rule works as expected, you may need to make a change to the registry to change how services are loaded.
By default, a supported client security product does not need to be running in order for the Mobility client to start. In the situation described here, however, you may need to set up a dependency so that Mobility will not start until after the Trend Micro service is started.
In the registry, navigate to the following Mobility service:
In the DependOnService value, add the name for the Trend Micro service, ntrtscan.
Reboot the computer. When it starts, it uses this registry entry to verify that ntrtscan is started before attempting to start the Mobility service.
NAC shows threat warning after threat is removed [MOB-94, MOB-795]
A NAC warning is displayed on the Mobility server, the Mobility client, and written to client diagnostics when a Mobility client fails to comply with a rule but is nevertheless allowed to connect to the Mobility server. Removing the threat does not remove the warning, however, until a full scan has been performed (which is usually every 24 hours). The client Connection List in the Mobility console continues to warn that the client is not in compliance until after a full scan completes.
Fixed In Summary Issue Number Description 10.50 Android: Do not upgrade to v4.4.x Kit Kat MOB-4502 Mobility version 10.10 is supported on Android 4.0 - 4.3.x, but not Android 4.4.x (Kit Kat). Mobility version 10.50 supports Android version 4.x and later. 10.50 Android: Trouble reconnecting MOB-2887 When you start a new VPN session, or when you install or upgrade the Mobility client for Android, you are prompted to trust the app. If you press the Android Home button while the prompt is displayed you can "lose" this prompt and the client cannot successfully reconnect. 10.11 RADIUS authentication fails to negotiate MOB-3908 Authentication was not properly negotiated (disconnect reason 61: "Authentication mode or protocol is invalid"). 10.11 Smart card single sign-on not working properly in v10.x for Mobility XE clients MOB-3590, MOB-3937 For deployments using single sign-on, logon did not work properly (users were prompted twice instead of once). 10.10 Android: "Authentication required" notification appears even if Mobility client is disconnected MOB-2856 If the user does not enter credentials when prompted, the Mobility client is normally disconnected and the user does not continue to be prompted. On some devices a notification ("Authentication required") appears even if the client is disconnected after no credentials are entered. 10.10 SecurID Soft Token v4.1 is not displayed during logon MOB-37 When the Mobility client is invoked immediately after the Windows logon prompt, the SecurID Software Token is not shown in the authenticator drop-down box unless the RSA SecurID Software Token application has been installed with certain parameters. 10.01 Performance improvement MOB-3036 The maximum transmission unit (MTU) was set to different values for different packet types. 10.0 SecureAuth user certificate unable to authenticate because "host/" is prepended to the username MOB-2851 When Mobility tries to connect using a SercureAuth-generated certificate the user name is invalid because it is prepended with <host/>. 10.0 Network traffic may stop with certain USB-based remote NDIS devices MOB-2747, MOB-2714 When certain RNDIS devices (for example, the U770 Sprint Plug-in-Connect Tri-Mode USB by Franklin Wireless and UML295 on Verizon) are inserted into a computer hosting the Mobility client, network traffic may stop. 10.0 Three minutes is sometimes not long enough to get to desktop MOB-2645 Fix the timeout for Mobility so that customers with intermittent issues like latency, AD activity, or WWAN connections are not prevented from reaching the desktop. 10.0 Enforce Logon - Always Prompt for User Credentials client setting MOB-2441 Enforce this client setting, even when Mobility disconnects and then reconnects. 10.0 Remote silent install fails with SCCM MOB-2010, MOB-2071, MOB-2307 The installation did not complete (installation of the virtual adapter failed). This is fixed in Mobility v10. 10.0 Customer getting an unexpected password prompt (EAP-GTC prompt we should auto answer) MOB-2365 For customers using EAP-GTC, Mobility failed to recognize a non-default password prompt. A new server setting was added in v10 to handle this situation; see the console on-screen help for Authentication - EAP-GTC Password Change Tokens. 10.0 Fine-grain password policy ignored by Mobility MOB-2186 A PSO (Fine Grain Policy) with a password change every 90 days (instead of the default of 30 days) was ignored by Mobility. 10.0 Non-quarantined devices incorrectly listed as quarantined in the Mobility console MOB-2114 This is fixed in v10. 10.0 Mobility interferes with certain sound cards MOB-2045 Mobility interferes with certain audio drivers on the market. If you install the Mobility client and the sound stops working, contact NetMotion Wireless Technical Support for workaround steps. 10.0 EAP-GTC authentication challenge incorrectly includes a change password request MOB-1970 You can configure EAP-GTC authentication to prompt users for each authentication challenge separately before a connection is established. Mobility incorrectly included a password change request in the challenge. 10.0 Single sign-on with the Wave fingerprint reader does not work MOB-1944 The Wave software now contains a call that retrieves the password associated with the fingerprint so that Mobility can support single sign-on. 10.0 Change Client certificates to User certificates in the Mobility client interface MOB-1666 A client certificate is technically either device or user certificates. To avoid confusion, change the wording in the Mobility client configuration. 10.0 Default to bypass should gather user credentials reliably when reaching the desktop MOB-1622, MOB-1623 When a user logs on to establish a connection to the Mobility server, the logon dialog box can be pre-populated with user and domain name credentials, or left blank. Specifying which credentials (if any) to display involves a combination of client settings in the Mobility server console and a configuration option on the client. See the client settings Logon - Default Credentials and Permissions - Default Credentials Override for more information. 10.0 Trouble switching to a 4G network MOB-1583 When devices roam from a 3G to a 4G network, the carrier needs up to 2 minutes of network silence in order to make the switch. If you are using a Mobility client in an area that you know offers 4G, but your connection manager still indicates that you are using 3G, contact NetMotion Wireless Technical Support. They can help you figure out if you are running "chatty" applications or services that are preventing the transition to 4G. 10.0 When Show all certificates is selected only authentication-related certificates should be shown MOB-1578 Selecting Show all certificates now lists all certificates on the card, including duplicates and expired certificates. 10.0 Client setting results in excessive credential prompting during load balancing MOB-1412 When the client setting Logon - Prompt for user credentials at every reconnect is enabled, a Windows Mobile device has to enter credentials several times before connecting to a Mobility server in a pool. 10.0 Windows Mobile: Connect button must be pressed twice MOB-1382 If the device is configured for Default to Bypass and reboot the device upon reboot they have to hit the Connect button twice from the client before it will try to connect. 10.0 RSA SID800 token is treated as a software token MOB-80, 17825 For an RSA SecurID 800 authenticator token (a USB key fob), authentication fails because the fob is incorrectly treated as a software token by Mobility. As a result, Mobility tries to obtain the next token immediately instead of prompting the user to wait until the next tokencode is displayed. As a workaround, remove the SID800 token from the USB socket and enter both the tokencode and the Next tokencode manually.
Fixed In Summary Issue Number Description 10.50 (build 28830) Mobility server conflict with GFI LanGuard software MOB-5141 If you have GFI LanGuard software installed on the computer that will host the Mobility server, running a newly installed or upgraded v10.50 Mobility server results in a fatal system error (blue screen). 10.50 Unable to RDP to a Mobility client (XG) MOB-4196 The system administrator was unable to establish remote access to a Mobility client with technology type XG (Mobility XE clients had no issues). 10.11 Slower performance on 3G networks MOB-3956 Some parameters were adjusted in v10.10 for LTE optimization, but they caused problems on other networks, especially 3G. 10.11 Server may crash when load balancing is turned off MOB-3822 If load balancing is disabled the Mobility server may crash (see the server setting Load Balancing - On/Off). 10.10 Resource leak with remote monitoring software MOB-3317 Fixed a resource leak exposed by third-party applications that use WMI (Windows Management Instrumentation), such as Solarwinds. 10.01 Upgrades to v10.x MOB-3027, MOB-3017, MOB-2938, MOB-2935 Process improvements for upgrading to v10.01. 10.01 Use an IP address or host name to specify a syslog server MOB-3009 When you specify a syslog server in the Mobility console (Configure > Server Settings > Syslog - Server Host), enter either the host name or the IP address of the syslog server. Prior to v10.01, the syslog server could be specified only using an IP address. 10.01 Mobility server blue screen MOB-2987 A rarely occurring combination of connected clients and VPN traffic caused the Mobility server to fail and then reboot.
Fixed In Summary Issue Number Description 10.10 Policy - An "allow" policy followed by a "block all" fails on Windows 8 MOB-3159 For Mobility clients with a Technology Type of XG (such as Mobility v10.01 on Windows 8), a policy that allowed traffic for a specific network and port and then blocked all other traffic failed. 10.10 NAC - Only an exported rule can be copied or renamed MOB-3056 You cannot rename a rule in the Mobility console using the Edit or Copy links. The workaround for this issue is to export the rule you plan to copy and/or rename (Mobility console > Policy > Network Access Control > Rules > Export), make your edits in a text editor, and then import the rule. 10.0 When the policy base rule is Block, Mobility should still pass through loopback traffic MOB-2121 Even if a rule has a base action of Block, Mobility now passes through any local loopback traffic (127.0.0.0/8) by default. 10.0 Unable to configure a value for the policy condition Network Access Control (NAC) Status MOB-2440 Using Policy Management, you can create a client policy that uses the Mobility client NAC status as a condition. In the v10 Mobility beta, setting a value for the condition Network Access Control (NAC) Status resulted in an error. 10.0 QOS policies are inactive when a speed override is applied MOB-2436 Policies that trigger based on interface speed did not work on all platforms. 10.0 Symantec antivirus finds threat, but NAC still triggers after remediation MOB-2078 A threat continued to trigger network access control errors after it was remediated.