Troubleshooting Scenarios for Issues with the Cato Client

This article contains some suggestions for troubleshooting common issues with the Cato Client.

Cato Client Conflicts with Third-Party VPN Clients

Challenge

When third-party VPN clients are installed on the same computer as the Cato Client, the third-party drivers can conflict with the Cato Client and override the settings. For example, Cisco AnyConnect can override the DNS settings for the Cato Client.

Solution

Cato Network doesn’t recommend installing the Cato Client and third-party VPN clients on the same computer. Best practice is to uninstall third-party VPN clients and network adapters. It’s important to restart the computer or device after your remove the third-party VPN client.

Antivirus Blocks the Cato Client

Challenge

Antivirus software can identify the Cato VPN Client traffic as malicious and by mistake block the VPN traffic.

Solution

If you determine that the antivirus software on the laptop or device blocks the Cato Client, these are your options to allow the VPN connection:

  • Configure the antivirus settings and create an exception for the Cato Client

  • Contact Cato Networks Support to whitelist the Cato Client for your antivirus

Tip: You can temporarily disable the antivirus software to check if this software is blocking the Cato Client traffic.

Firewall Blocks the Cato Client

Challenge

It's possible that a firewall blocks the specific port that the Client uses to connect to the Cato Cloud.

Solution

There are several types of firewalls that can block the Cato Client from connecting to the Cato Cloud. The following paragraphs describe solutions for each firewall type, use the solution that is applicable for your network.

Network Firewall

Check the network firewall settings and see if it blocks UDP traffic over ports 53 and 443. If it does, add a rule that allows UDP traffic over ports 53 and 443.

Endpoint Firewall

For endpoint computers, you have to make sure that the endpoint firewall agent isn’t blocking the connection. If an endpoint firewall agent is installed on your computer, check the agent settings and see if it’s configured to block UDP traffic over port 53 or 443. We recommend that you contact the agent vendor and ask them to whitelist the Cato Client.

For Windows OS, check the Windows firewall settings and see if it’s configured to block UDP traffic over port 53 or 443. You can also change this default port for the Cato Client from 443 to 1337. For more information about changing the default port, see Configuring a Different UDP Port for Cato Client.

Cato Client IP Range Conflicts with Local Network

Challenge

If your local network uses the same subnet as the Cato VPN IP range, overlapping networks can cause IP conflicts and routing issues. For example, the Cato Clients are unable to connect to the Cato Cloud.

Solution

By default, Cato Networks uses the 10.41.0.0/16 subnet as the VPN range. You can either change the local network IP range, so it doesn't conflict with the Cato VPN IP range. Or you can change the default VPN range in the Cato Management Application (Access > Client Access > IP Range).

The following screenshot shows an example of a custom IP range of 10.43.0.0/16 subnet for VPN users:

range.png

Unable to Access WAN or Internet Resources

Challenge

The Cato Client successfully connects to the Cato Cloud, but users are unable to access WAN or Internet resources over the VPN connection.

Solution

In this situation, the Cato Client has connectivity to the Cato Cloud, but something else is blocking WAN or Internet access. You can check that the following settings are configured correctly in the Cato Management Application:

The Cato WAN or Internet firewall blocks VPN access

The Cato WAN or Internet firewall can block access for Cato Clients to the WAN or internet resource. Check the firewall rulebases in the Cato Management Application (Security > WAN Firewall or Internet Firewall) and make sure that the firewall allows VPN access. For example, does the WAN firewall have a rule that allows VPN users to access the site? The following screenshot shows an example of a Cato WAN firewall rule that allows VPN users to connect to a site in Frankfurt for DNS and HTTPS services:

For more information on the Cato firewall and best practices, see Internet and WAN Firewall Policies – Best Practices .

Unable to resolve DNS

When the DNS settings are misconfigured, then users can’t connect to the network resources. The Cato Management Applications lets you configure DNS settings for the entire account in Network > DNS Settings. You can also configure DNS settings for each site, group, and SDP user.

By default, Cato Networks uses the following DNS servers: primary DNS – 10.254.254.1 and secondary DNS – 8.8.8.8.

If you want to reach an internal resource (WAN) with a local DNS server, make sure that the DNS for your account is configured to use the local DNS. For example, users can only access the internal domain images.mycompany.com if your account is configured with your local DNS server or with DNS Forwarding. Otherwise, there is nothing to resolve the DNS for that address.

For VPN users to connect to an Internet resource, such as www.catonetworks.com, the DNS settings for your account must contain at least one public DNS server. This server allows DNS resolving for the public Internet.

For more information on how to configure the DNS settings for your account, see Configuring DNS Settings.

Geo-location restrictions block the connectivity

Some Internet content is restricted based on the geographic location of the Cato Client. If you are physically located in a country with limited Internet access, then you can’t access the blocked content from that country.

GPO Rule Blocks Cato Adapter Installation

Challenge

A restrictive GPO policy may block the installation of the Cato Adapter during the installation or upgrade process of the Cato Client. GPO rules such as “Restricted installation of devices not described by policy” may block the adapter installation.

Solution

Allow the GPO policy to permit the installation of the Cato Adapter.

Was this article helpful?

0 out of 1 found this helpful

0 comments

Add your comment