NetMotion Mobility v11 Known and Resolved Issues
Last updated: June 12, 2017
The numbers in square brackets are internal issue numbers. Issues are grouped by product area and listed in descending order by issue number.
Known Issues Resolved Issues Release History
Mobility Client Support for Windows 10
The NetMotion Mobility Client is supported on Windows 10 (Pro and Enterprise Editions) for 32- and 64-bit operating systems. Clients on Windows 10 must connect to a Mobility server running v10.70 or later.
About Upgrading Mobility
Settings: When you upgrade Mobility, the settings that you have configured in the earlier release are used in the new installation. But sometimes NetMotion Software will change settings and you need to be aware of the consequences. See Things to Consider Before You Upgrade Mobility in the Mobility server help for details.
Mobility warehouse: Versions 10 and later of the Mobility server work only with version 7.0 and later of the Mobility warehouse.
If you are upgrading to Mobility v11, your starting point must be Mobility servers running v9.2x or later, and version 7.0 of the Mobility warehouse.
If you have version 7.0 of the warehouse from a previous release, upgrade the warehouse to v11.
See Upgrading the Mobility Warehouse in the Mobility server help for details.
FIPS 140-2 CNG Modules
When Mobility is configured to require FIPS 140-2 validated encryption, a Mobility server accepts connections from Mobility clients that use any of a list of cryptographic modules specified in the Mobility console. The default list of modules is as follows:
Module Version Module Version ccrypto 7 cng 6.1.7601.17919 ccrypto 8 cng 6.1.7601.21861 ccrypto 9 cng 6.1.7601.22076 ccrypto 10.11 cng 6.2.9200 cng 6.1.7600.16385 cng 6.3.9600 cng 6.1.7600.16915 cng 10.0 cng 6.1.7600.21092 mocana 5.5.F cng 6.1.7601.17514 openssl-fips 2.0.12 cng 6.1.7601.17725
Before you install or upgrade the Mobility server, refer to FIPS Considerations During Setup in the help. It includes important tips for upgrading and information about Windows 7 clients.
As of Mobility v9.50 the Analytics Module is a single component. For users who are upgrading and want to use the data they have collected, there are procedures and a utility (the Analytics Module Data Exporter) to migrate data from all supported configurations. Before installing version 11, look through the scenarios in Upgrading the Analytics Module in the Mobility server help and follow the instructions for the one that best fits your deployment.
Specifying an Internal Interface
If you have more than one network adapter on the computer that will host your Mobility server, you must specify (during Setup) the name of the network adapter that is to be used as the internal interface. To make sure that Mobility-related traffic is properly routed, refer to Configuring Network Interfaces and Routing for information about what you need to configure and take into account.
Windows Server 2003 and Windows Server 2008 Support Ended
The Mobility server is supported only on Windows Server 2012 R2 and Windows Server 2012:
As of v10, Mobility is not supported on Windows Server 2003 R2. Version 9.5x is the last release that supports that platform.
As of v11, Mobility is not supported on Windows Server 2008 R2. Version 10.71 is the last release that supports that platform.
For a table showing what versions of Mobility are supported on which operating systems, see the NetMotion Software web site: https://www.netmotionsoftware.com/support/supported-systems/.
Client issues are grouped by operating system and listed in descending order by issue number.
iOS and Android: Skype session does not persist during roam [MOB-8599]
If you are on a Skype video call and you roam between cellular and Wi-Fi, your call is disconnected.
When upgrading from RSA SecurID Software Token version 4.1.0 to 4.1.1 [MOB-2417]
If you upgrade from RSA Soft Token 4.1.0 to 4.1.1 on a computer running the Mobility client on Windows, Setup indicates that NetMotion Tray Icon (the Mobility client system tray icon) is running. As a workaround, select the Do not close applications. (A reboot will be required.) option. After you reboot, the upgrade will be complete.
macOS: A password in an MDM profile does not get pushed down to the Mobility client [MOB-8754]
If you use an MDM to create a configuration profile that includes a password, the password does not get pushed down to the Mobility client for macOS unless you are running macOS version 10.12.3 or later.
macOS: Settings not preserved during Mobility upgrade (Apple RADAR ID: 25911312) [MOB-8671]
If you are running El Capitan (macOS version 10.11), configuration profiles created in Mobility will disappear when you upgrade Mobility to 11.02. (A configuration profile is preserved if it was installed using an MDM or Apple Configurator.)
This is an issue with the Apple operating system (Apple RADAR ID: 25911312). An alternative workaround is to delay upgrading Mobility until after you have upgraded macOS to Sierra.
macOS: AirWatch Per-App profile not displayed in Mobility client [MOB-8500]
If you create a VPN profile for Mobility in the AirWatch console, and you enable Per App VPN Rules in the connection info area, the profile does not appear in the list of configurations for the Mobility client for macOS.
macOS: Mobility extension stops unexpectedly (Apple RADAR ID: 25290018) [MOB-8172]
There is an issue with the Apple operating system (Apple RADAR ID: 25290018) that can cause the Mobility client to stop unexpectedly during roaming or startup, or when a policy is applied or removed. The Mobility app automatically reconnects if the Mobility extension crashes for any reason, so users may not be aware of this issue. When the problem occurs an Info message is logged to appLog.txt ("Mobility extension stopped unexpectedly. Reconnecting.").
iOS: Upgrading may fail if Mobility is connected [MOB-9857]
If the Mobility client for iOS is connected to a Mobility server when you upgrade, the upgrade may fail. Disconnect from the Mobility server and then upgrade to the latest client.
iOS: Per-App VPN manual connect fails (Apple RADAR ID: 27704986) [MOB-9348]
When you push a per-app profile down to Mobility clients, the VPN is automatically used only for the apps that you specify, without input from the user. If the user manually turns the VPN on, the following message is displayed on the client: "The connection cannot be started. The operation couldn't be completed. (NEVPNErrorDomain error 2.)". This is an issue with the Apple operating system (Apple RADAR ID: 27704986).
iOS: A FaceTime connection may be lost when you roam between WiFi and cellular networks [MOB-4866]
You can maintain a FaceTime connection with the Mobility client for iOS, but the connection is sometimes lost if you roam between networks (from WiFi to cellular or cellular to WiFi).
Changing or clearing certificates [MOB-10476]
On older Android devices (before version 6), changing or clearing certificates in Android Settings may also remove them from any Mobility configurations that use them (in the Mobility client the certificate will be listed as Unknown). You must import the certificate again in order to use it.
Android: the Mobility client is incompatible with IAS [MOB-9352]
The v11 Mobility client for Android is incompatible with an authentication server running Internet Authentication Service (IAS), Microsoft's RADIUS implementation for Windows Server 2003. Mobility supports Network Policy Server (NPS), the current Microsoft implementation of a RADIUS server and proxy.
Android 5.x: Connecting Mobility on startup takes about a minute after device restart [MOB-7148]
When Connect on startup is selected the Mobility client attempts to connect to a Mobility server at the same time as the Android device starts. On a device running Android 5.x that has been restarted, it can take up to a minute before Mobility begins connecting to the Mobility server.
Android 5.x: "Connecting ... waiting for Mobility adapter" state persists [MOB-5739]
If a user is connected using Mobility and then uninstalls and re-installs the Mobility app (either the same version of the app, or during an upgrade), the Mobility client will remain in the "Connecting ... waiting for Mobility adapter" state. Reboot the Android device to clear the message.
Android: Cannot use Mobility client for Android with Skype version 4.6 and later [MOB-5151]
Mobility client for Android users are not able to connect to Skype if they are running Skype version 4.6 (which was released in February, 2014) or later. A fix is expected from Skype in the near future.
Android 4.0.x: On an HTC EVO 4G LTE device the behavior of Restart and Off are different [MOB-2292]
If the administrator allows it, Android users can configure the Mobility client so that it does not immediately attempt to connect to a Mobility server at startup. If this is how your Android HTC EVO 4G LTE device is configured, here is what happens when you turn it off and then on again:
- If you use Restart, the device behaves as expected: Mobility does not start automatically.
- If you use Off, the saved state of the device (connected) is resumed. The notifications area indicates that the Mobility client is running, but if you check the running app list in Settings, Mobility is not there.
On an HTC EVO 4G LTE device, use Restart instead of Off.
Android: Interface proxy settings are ignored when connected with Mobility [MOB-4190]
In the Android operating system you can modify the proxy settings for WiFi connectivity, but these settings are ignored when the device is connected over the Mobility VPN tunnel (without a VPN installed the proxy works as expected). This is due to Google issue 33935.
Android 4.4: Application connections do not persist when roaming between networks [MOB-3275]
In version 4.4 of the Android operating system (KitKat), Google made a change that was problematic for many VPN vendors, including NetMotion Software. The result for the Mobility client is that application persistence breaks.
Android: Enabling "Connect on startup" has no effect on certain HTC Android devices [MOB-3208]When Connect on startup is selected the Mobility client attempts to connect to a Mobility server at the same time as the Android device starts. On an HTC One S device, enabling this setting has no effect: the Mobility VPN must be manually turned on.
Android: When credentials are cleared certificate logon is unavailable [MOB-3120]If you clear your Mobility authentication credentials, the prompt for logging on using certificates is unavailable (dimmed). Navigate away from the prompt; you can then return to it and complete your logon.
Android: A user certificate on Motorola RAZR phone is inaccessible when connected via a USB cable [MOB-3012]When a Motorola RAZR phone running Android 4.1.2 is connected to a computer via a USB cable, an installed user certificate for RADIUS authentication is not accessible. When the device is connected via USB, its sdcard is inaccessible, which means that certificates are not accessible. To work around this issue, make sure the device is not tethered, make sure it is not connected to a computer via a USB cable, and then try again.
Android: Restricted profiles and multiple users [MOB-2914]
When an Android device has a restricted profile or is configured to support multiple users, the Mobility client for Android can only be started by the primary user. It cannot be started by other users.
Android: Force stop sometimes necessary if Mobility prompt is ignored [MOB-2887]
When you first start the Mobility client on Android you are asked by the Android operating system whether you trust the VPN app. On some devices, if you ignore this prompt and attend to other apps, Mobility will display Connecting... Waiting for Mobility Adapter; once the mobile VPN is off, it cannot be toggled on again. At this point you may need to force quit Mobility: go to Settings > Application Manager, and then select Mobility in the list and tap Force stop.
Android Motorola RAZR: Unable to generate diagnostic report when device is connected using USB [MOB-2872]
If you see an error on your Motorola RAZR device when you try to generate a diagnostic report, make sure the device is not tethered, make sure it is not connected to a computer via a USB cable, and then try again.
Mobility v11 browser settings for Internet Explorer 10
In Mobility v11 the console cannot be accessed using TLS 1.0; if you have only TLS 1.0 enabled, you will see the error This page can't be displayed. To change your Internet Explorer browser settings go to Tools > Internet options > Advanced tab > Security and then select Use TLS 1.1.
This is a workaround for Internet Explorer 10; it is not an issue with Internet Explorer 11, Firefox, or Chrome.
Standards-compliant RADIUS compatibility [MOB-10083]
Mobility supports standards-compliant RADIUS servers for authentication:
If you are using a Dual Shield RADIUS server, make sure it is version 5.9.3.0215 or later, to ensure that it supports TLS 1.2.
If you are using a Free RADIUS server, make sure it fully supports TLS 1.2.
Accumulating Java core dump files [MOB-9500]
If you find that Java core dump files are consuming too much disk space, they can be safely deleted. The files typically have the extension .mdmp and are written to the webserver folder (for example: c:\Program Files\NetMotion Server\webserver).
Mobility server Start page links fail after upgrade to v11 [MOB-8708]
The Start menu icon locations have changed in v11, and the Windows Server operating system does not reflect the changes until you log off and then log back on again (a restart is not necessary).
Primary warehouse name cannot include Japanese characters [MOB-7821]
If you are running Mobility software that has been localized for the Japanese market, do not assign the primary warehouse a name that includes Japanese characters: a standby warehouse will not be able to create a replication agreement with the primary warehouse.
A user is temporarily prevented from being re-added to a group [MOB-6755]
If a user belongs to a group and the entry is somehow corrupted, the Mobility warehouse puts a "lock" on the data that lasts about 30 minutes. To re-add the user to the group to which he or she belonged, reboot the server after the 30-minute waiting period is over.
Analytics database service fails to shut down in a timely manner [MOB-6633]
This is an issue that rarely occurs: during a Mobility Analytics Module upgrade, the shutdown of the analytics database service takes much longer than it should.
If a NIC is renamed, the new interface name must be selected in the Mobility Management Tool [MOB-6125]
If you change the name of the network adapter on the computer hosting a Mobility server, you must open the Mobility Management Tool and select the correct internal interface on the Mobility Server tab (even though there is only one interface displayed). If you do not perform this step your Mobility deployment will continue to function, but only until the server is rebooted. If the server is rebooted and the correct interface has not been selected, Mobility clients will be able to connect, but will have invalid virtual addresses.
Apply hotfix for RSA Authentication Agent version 7.2.0 or 7.2.1 [MOB-5031]
In order to authenticate Mobility users with RSA SecurID you must install the RSA Authentication Agent on the Mobility server. If you are running the Mobility server on Windows Server 2012, and your RSA agent is version 7.2.0 or 7.2.1, make sure that you apply the RSA hotfix appropriate for your agent.
"Could not install service" error during upgrade [MOB-3250]
On rare occasions upgrading the Mobility server results in the error message "Could not install service". If you see this error, follow these steps to complete the upgrade:
- Dismiss the "Could not install service" dialog.
- Reboot the computer hosting the Mobility server.
- Run Mobility Setup again and select the Repair option.
The Mobility server upgrade finishes and must then be brought online.
Uninstall Mobility server before upgrading a Windows Server 2012 operating system [MOB-3186]
Before upgrading the Windows Server 2012 operating system to Windows Server 2012 R2 on a computer hosting the Mobility server, you must first uninstall Mobility. Follow these steps:
- Make a note of any settings that apply exclusively to the Mobility server being hosted on the computer you plan to upgrade.
- Uninstall the Mobility server.
- Upgrade the operating system from Windows Server 2012 to Windows Server 2012 R2.
- Re-install the Mobility server and make any of the changes you noted in step 1.
Warning banner when upgrading from Mobility v9.2x to Mobility v10 [MOB-2911]
When you upgrade a single server in a pool to Mobility v10, and then log on to the Mobility console for that server, you will see a pink banner indicating that the internal interface is disabled or misconfigured for the other servers in your pool. This is normal: the Mobility servers running v9.2x (which you have not upgraded to v10 yet) do not support an internal interface. Once all of the servers in the pool are upgraded to v10 the banner disappears.
Migrating data from v9.2x to v10: some extended characters are not supported [MOB-1047]
Analytics data collected in previous versions of Mobility can be exported and preserved using the Analytics Module Data Export Utility. Cyrillic characters, however, are not exported correctly: after data migration they appear in the database as question marks. Once the Analytics Module is upgraded, new data that includes these characters is supported and they are displayed correctly.
Policy rule or rule set names must use ASCII characters [MOB-9892]
With Mobility server v11.03 only ASCII characters are valid for the names of policy rules or rules sets. If you use any extended characters, such as an "a" with a diaresis (ä) or a Japanese character, the policy cannot be pushed down to any clients. This is not an issue for Mobility server v11.00 or v11.02, just v11.03.
Fixed In Summary Issue Number Description 11.05 Windows clients: Disconnect reason 107 MOB-10459 Mobility clients sometimes disconnected at logon (reason 107). 11.05 Windows clients: 32-bit Chrome v56 and Windows 64-bit MOB-10420 Running version 56 of the 32-bit Chrome browser on a 64-bit computer caused the Mobility client to fail. 11.04 build 25554 Windows clients: Fix problem with client deployment MOB-10290 Setup was unable to start when an update was pushed to a Windows client during a client deployment. 11.04.1 iOS clients (v11.03): Mobility client connection over WiFi can sometimes fail MOB-9969 With a Mobility client (v11.03 and running on iOS) connected over WiFi, the connection to the Mobility server sometimes failed. 11.04 build 22344 Windows clients: Windows can't verify publisher of this driver software MOB-10020 If the trusted root certificate is missing from the computer on which the Mobility client is installed and cannot be retrieved from the Windows Update center, Setup now provides it without prompting the user. 11.04 EAP-TLS authentication failed on NPS MOB-9894 When using a Microsoft Network Policy Server (NPS) running on Windows Server 2016, authentication failed because NPS negotiates to TLS version 1.2. Mobility now supports TLS 1.2. 11.04 TLS1.2 negotiation failed MOB-9805 There was an incompatibility with mToken RADIUS. 11.03 Reauthentication using certificates failed on iOS devices when the device was locked MOB-9836 If reauthentication occurred while a device was locked, Mobility did not have access to the certificate and the process failed. This is fixed in v11.03. 11.03 Windows Defender update incompatible with Mobility client MOB-9771 On the Mobility client running Windows 10 or Windows 8.1, the latest Windows Defender virus definition update failed. This is fixed in Mobility client v11.03. 11.03 When policy changes, re-evaluate the traffic flows MOB-9666 When a policy change occurs on the Mobility client, immediately re-evaluate the UDP and TCP traffic flows (do not use the cached flow). 11.02 Mobility now supports TLS1.1/1.2 for RADIUS authentication MOB-8613 Pre-v11.02 Mobility clients accept only TLS1.0 for RADIUS authentication. 11 Passthru DNS traffic is routed to the virtual adapter MOB-7084 Passthru DNS traffic is routed to the virtual adapter.
Fixed In Summary Issue Number Description 11.04 Policy rule or rule set names must use ASCII characters MOB-9892 With Mobility server v11.03 only ASCII characters were valid for the names of policy rules or rules sets. This was not an issue for Mobility server v11.00 or v11.02. 11.03 Warehouse errors displayed in Mobility console MOB-9755 The Mobility console saves configuration settings and client policies to the warehouse. A setting change made in the console sometimes failed to be saved to the warehouse on the first submit attempt; a second attempt would succeed. 11.03 Mobility server upgrades to v11.02 sometimes failed MOB-9687 During Mobility Setup there was an incompatibility with Windows Server 2012 R2 certificates. 11.02 Automatic warehouse backup failed with older base DN MOB-9480 In earlier Mobility releases, Setup prompted users to enter a base DN for the Mobility warehouse. Users with a non-default base DN who upgraded to Mobility v11 were unable to use the automatic warehouse backup feature. 11.02 Make log messages sent to syslog easier for Splunk to parse MOB-9406 Make session numbers consistent across logs (regardless of source). 11.02 New clients cannot connect after incomplete upgrade to v11 MOB-9388 If you were prompted to reboot the Mobility server during an upgrade to v11, it is possible that the Configuration Wizard failed to run following the reboot. In this case, the upgrade is incomplete and clients are not able to connect. In Mobility v11.02 the Configuration Wizard starts automatically after a reboot. 11.02 Testing DC mapping only found groups that belonged to the user's logon domain MOB-9102 The Domain Controller Mapping Test button only mapped AD groups that belonged to the user's logon domain. As of v11.02 there is an option for also searching trusted domains. 11 Firewall failover failed with Mobility XG clients MOB-7263 During a failover to another firewall node Mobility failed to send packets to the new firewall MAC address. 11 A custom Logon Notice was not shown on initial connection MOB-6647 If you configured Mobility to add devices to a group based on operating system, and you also configured a logon notice, the notice was not displayed when the device connected for the first time. 11 Could not establish a remote session on the Mobility server over WAN MOB-5145 With the Mobility client running on iPhone or iPad, a remote session on the Mobility server over WAN timed out with an error. 11 TcpTransport event log errors when adding an Analytics Module MOB-782 If you added an Analytics Module to a pool of Mobility servers, you might see (ignorable) errors in the event log that look like this: Error <time stamp> Reporting TcpTransport - Reason: java.lang.InterruptedException
Version Component Release Date Build Number Description 10.72 iOS client September 14, 2016 18050 Users must upgrade to this release to prevent duplicate device registrations after Mobility 11 is released (see help) 10.73 Windows client October 10, 2016 19765 Microsoft Defender fix [MOB- 9771] 11 Server July 5, 2016 14681 See What's New in NetMotion Mobility 11 Windows client July 5, 2016 14681 See What's New in NetMotion Mobility 11 macOS client July 5, 2016 14548 See What's New in NetMotion Mobility 11.01 Server July 27, 2016 15791 Japanese language support 11.01 Windows client July 27, 2016 15791 Japanese language support 11.02 Server August 31, 2016 17625 Maintenance release (English, Japanese) 11.02 Windows client August 31, 2016 17625 Multilingual (Japanese, French, Italian, German, and Spanish) support 11.02 Windows client October 10, 2016 19757 slipstream Maintenance release [MOB-9771] 11.02 Android client September 15, 2016 18145 Multilingual (Japanese, French, Italian, German, and Spanish) support 11.02 iOS client October 10, 2016 19666 Multilingual (Japanese, French, Italian, German, and Spanish) support; iOS 10 is required 11.03 Server October 17, 2016 19822 Maintenance release [MOB-9687, MOB-9755] 11.03 Windows client October 17, 2016 19822 Maintenance release [MOB-9771, MOB-9666] 11.03 iOS client October 28, 2016 20378 Diagnostics compatibility. 11.04 Server November 22, 2016 21384 Support for Windows Server 2016, policy issue fix (MOB-9892) 11.04 Windows client November 22, 2016 21384 Maintenance release (MOB-9894, MOB-9805) 11.04 macOS client November 22, 2016 21579 Maintenance release (MOB-9894, MOB-9805) 11.04 iOS client November 23, 2016 21379 Maintenance release (MOB-9894, MOB-9805) 11.04 Android client November 22, 2016 21376 Maintenance release (MOB-9894, MOB-9805) 11.04 Windows client December 8, 2016 22344 Maintenance release (MOB-10020) 11.04.01 iOS client January 24, 2017 23750 Maintenance release (MOB-9969) 11.04 Windows client February 13, 2017 25554 Bug fixes (MOB-10290). 11.05 Windows client April 3, 2017 27233 Bug fixes (MOB-10420, MOB-10459). 11.05 iOS client June 7, 2017 31089 Improved integration with NetMotion Diagnostics; minor bug fixes.