Troubleshooting Scenarios for Issues with the Cato Client

This article contains some suggestions for troubleshooting common issues with the Cato Client.

Note: If the Cato Client presents an error while connecting to the Cato Cloud, refer to the following article: Cato Client Login Errors

Cato Client Conflicts with Third-Party VPN Clients

Challenge

When third-party VPN clients are installed on the same computer as the Cato Client, the third-party drivers can conflict with the Cato Client and override the settings. For example, Cisco AnyConnect can override the DNS settings for the Cato Client.

Solution

Cato Network doesn’t recommend installing the Cato Client and third-party VPN clients on the same computer. The best practice is to uninstall third-party VPN clients and network adapters. It’s important to restart the computer or device after you remove the third-party VPN client.

Antivirus Blocks the Cato Client

Challenge

Antivirus software can identify the Cato VPN Client traffic as malicious and, by mistake, block the VPN traffic.

Solution

If you determine that the antivirus software on the laptop or device blocks the Cato Client, these are your options to allow the VPN connection:

  • Configure the antivirus settings and create an exception for the Cato Client

  • Contact Cato Networks Support to whitelist the Cato Client for your antivirus

Tip: You can temporarily disable the antivirus software to check if this software is blocking the Cato Client traffic.

Firewall Blocks the Cato Client

Challenge

It's possible that a firewall blocks the specific port that the Client uses to connect to the Cato Cloud.

Solution

Several types of firewalls can block the Cato Client from connecting to the Cato Cloud. The following sections describe solutions for each firewall type; use the solution that is applicable to your network.

Network Firewall

Check the network firewall settings and see if it blocks UDP traffic over ports 53 and 443. If it does, add a rule that allows UDP traffic over ports 53 and 443 and the URLs and IP addresses described in Prerequisites for Installing the Cato Client.

Endpoint Firewall

For endpoint computers, you have to make sure that the endpoint firewall agent isn’t blocking the connection. If an endpoint firewall agent is installed on your computer, check the agent settings and see if it’s configured to block UDP traffic over port 53 or 443. We recommend that you contact the agent vendor and ask them to whitelist the Cato Client and the URLs and IP addresses described in Prerequisites for Installing the Cato Client.

For Windows OS, check the Windows firewall settings and see if they’re configured to block UDP traffic over port 53 or 443. You can also change the Cato Client's default port from 443 to 1337. For more information about changing the default port, see Configuring a Different UDP Port for Cato Client.

The DTLS Connection Fails with the Cato Cloud

Challenge

The Cato Client cannot authenticate with the Cato Cloud when the user's PC does not use the required DTLS ciphers during the DTLS handshake.

Solution

Confirm that the DTLS ciphers described in Cipher Suites Used by the Cato Socket and SDP Client are included on the PC's cryptography configuration. For windows devices, this can be checked under the following registry key:

  • Cipher Suites: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002
  • Signature Algorithms: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003

Cato Client IP Range Conflicts with Local Network

Challenge

If your local network uses the same subnet as the Cato VPN IP range, overlapping networks can cause IP conflicts and routing issues. For example, the Cato Clients cannot connect to the Cato Cloud.

Solution

By default, Cato Networks uses the 10.41.0.0/16 subnet as the VPN range. You can change the local network IP range to avoid conflict with the Cato VPN IP range. You can also change the default VPN range in the Cato Management Application (Resources > IP Ranges).

The following screenshot shows an example of a custom IP range of 10.43.0.0/16 subnet for VPN users:

range.png

Unable to Access WAN or Internet Resources

Challenge

The Cato Client successfully connects to the Cato Cloud, but users cannot access WAN or Internet resources over the VPN connection.

Solution

In this situation, the Cato Client has connectivity to the Cato Cloud, but something else is blocking WAN or Internet access. You can check that the following settings are configured correctly in the Cato Management Application:

For more information about WAN and Internet access troubleshooting, see Internet Service Reachability Troubleshooting and Access to Internal Resources Troubleshooting.

The Cato WAN or Internet firewall blocks VPN access

The Cato WAN or Internet firewall can block access for Cato Clients to the WAN or Internet resource. Check the firewall rule bases in the Cato Management Application (Security > WAN Firewall or Internet Firewall) and make sure that the firewall allows VPN access. For example, does the WAN firewall have a rule that allows VPN users to access the site? 

For more information on the Cato firewall and best practices, see Internet and WAN Firewall Policies – Best Practices .

Unable to resolve DNS

When the DNS settings are misconfigured, then users can’t connect to the network resources. The Cato Management Applications lets you configure DNS settings for the entire account in Network > DNS Settings. You can also configure DNS settings for each site, group, and SDP user.

By default, Cato Networks uses the following DNS servers: primary DNS – 10.254.254.1 and secondary DNS – 8.8.8.8.

If you want to reach an internal resource (WAN) with a local DNS server, make sure that your account's DNS is configured to use the local DNS. For example, users can only access the internal domain images.mycompany.com if your account is configured with your local DNS server or with DNS Forwarding. Otherwise, the DNS for that address will not be resolved.

For VPN users to connect to an Internet resource, such as www.catonetworks.com, the DNS settings for your account must contain at least one public DNS server. This server allows DNS resolution for the public Internet.

For more information on how to configure the DNS settings for your account, see Configuring DNS Settings.

Geo-location restrictions block connectivity

Some Internet content is restricted based on the geographic location of the Cato Client. If you are physically located in a country with limited Internet access, then you can’t access the blocked content from that country.

For more information, see Website Inaccessible due to Cato IP Blacklisting or Geo-Blocking.

GPO Rule Blocks Cato Adapter Installation

Challenge

A restrictive GPO policy may block the installation of the Cato Adapter during the installation or upgrade process of the Cato Client. GPO rules such as “Restricted installation of devices not described by policy” may block the adapter installation.

Solution

Allow the GPO policy to permit the installation of the Cato Adapter.

Was this article helpful?

2 out of 4 found this helpful

0 comments