Pepwave MAX Transit disconnecting SSL tunnel, invalidating SSO token, HTTPS -1

I recently bought a pepwave max transit LTEA and using it in an urban environment with an AT&T card and Google Fi sim card (T-Mobile) in it. Both have strong signals.

I am using my work laptop where I setup multiple VPN tunnels from my laptop to connect to servers in the cloud, and I use secure https connections with Signle Signon tokens. When using the AT&T sim card it keeps disconnecting the VPN tunnels and invalidating the SSO tokens for secure websites. When I use the Google Fi card, it doesn’t have that issue. But now I reached my data limit, and can’t use that until the next billing cycle starts. The symptoms I’m seeing is that tunnels just disconnect, websites show ‘invalid SSO token’ and ‘HTTPS -1 error’ messages

My UNeducated guess is, the disconnecting issue is because it’s doing carrier aggregation and connecting over multiple bands at the same time, and that somehow invalidates the vpn tunnel? Whatever the cause is, how can I fix this issue?

I have an AT&T SIM on a MAX transit as well and you will notice that if you hit ipchicken.com your IP address will be different than if you SSH into a server and ask it what IP you are. The reason is that AT&T actually proxies 80 and 443 for some reason. They use carrier grade NAT for all other ports and some sort of transparent proxy for web. I’ve read numerous complaints on the web of AT&T breaking SSL VPNs etc because of their proxy of 443. I’d suggest trying the SpeedFusion cloud service because it will tunnel over 4500 and avoid AT&Ts web proxy. It sucks that you have to resort to that, but that’s all I got. I don’t think complaining to AT&T will get you anywhere based on what I’ve read on the web.

3 Likes

Sounds like you know what you are talking about, but at the same time, I’ve been using the same sim card in an AT&T USB modem with another router (cradlepoint) and never had this issue. So it can’t be just AT&T. Also, it’s hard to believe that everyone that needs SSL connections using AT&T and a Pepwave has to go through services like SpeedFusion.

Still hoping there are settings in the PepWave Max Transit I can change to avoid this. Something in Outbound Policies perhaps? I’m not network-savvy enough to know what settings in the pepwave router to change to avoid this issue.

Hi @Pieter_Hartog
The issue could be to do with the changing ISP but it sounds like you are having this issue when only using AT&T as the Google Fi is out of data?
What outbound rule are you currently using and is the Google Fi SIM still active?
I’m thinking if you had an outbound rule that was failing over to the Google Fi when the AT&T discounters then jumping back to AT&T when it reconnects, this could be causing an issue at the services you are using detect unusually activity.
You can try disabling the GoogleFi SIM or creating an outbound policy forcing all traffic to the AT&T SIM.
How much data are you using a month? The SpeedFusion Cloud packages are very reasonable.

1 Like

My Google Fi card is not active; I set the settings to ‘SIM B’ only, which is my AT&T card.
I don’t think it’s related to reconnecting or switching cards; it happens when I start using my SSL tunnel.

The exact symptom is as follows. Below is a copy from my windows command prompt where I setup the SSL tunnel:
(note that I renamed a few things to ‘corpip’, ‘mygateway’ and ‘mycompany’)

C:\Users\pieterh>ssh -N -L 30001:<corpip>:3389 -o ProxyCommand="corp-ssh-helper --stderrthreshold=info  %h %p" <mygateway> 
I0629 15:16:19.141236    9940 transport_sso:107] Requesting config and SSO cookies from ssh-relay.corp.mycompany.com
I0629 15:16:21.379107    9940 transport_sso:129] Successfully authenticated to mtv10.r.ext.<mycompany>.com:443
I0629 15:16:21.515626    9940 transport_sso:193] Requesting connection to <mygateway>:22 via mtv10.r.ext.mycompany.com:443
I0629 15:16:21.779157    9940 transport_sso:247] Attaching to session 6585fa6805bbbc52

So far so good, but as soon as I actually connect to the end point over this SSL (i.e. send data), it returns this error (tls: bad record MAC):

F0629 15:17:31.577161    9940 helper.go:295] remote error: tls: bad record MAC
    packet_write_wait: Connection to UNKNOWN port 65535: Broken pipe

This behavior does not happen with the Google Fi card; the SSL connection stays connected.

Have you made sure your WAN MTU is set to the correct 1430 for AT&Ts network? That is one difference between them and other carriers and the MAX Transit doesn’t auto calculate it like the Balance series does. I don’t think that’s the issue, but there are other google posts where people have had issues because the MTUs were off. AT&T does have their own brand routers running 1500 on business accounts and all the rest of us running at 1430.

1 Like

No resolution yet, but after testing other cell phone modems (other brands etc) I got the same errors. Connected to fiber optic or cable modems I don’t have the ‘bad record MAC’ issue, but still getting the ‘invalid SSO token’ errors frequently.

So for now, I’m assuming it’s on the other end (my work network) and work with them more to see what the problem is and how to avoid it.

Thank you for your responses!

1 Like