A small reminder that the Engineering Computing Infrastructure (ECI) is not directly responsible for the Campus VPN and we can only give Best Effort Support with regards to the VPN.

There are multiple other pages in this Knowledge Base that deal with installation:VPN FAQ and configuration: /wiki/spaces/EIKB/pages/529072763

VPN not Required for all Software

The Campus Pulse Secure VPN is not required to use many pieces of software such as Email, Zoom and Google Drives. Only software requiring a secure encrypted connection such as GUS or Filemaker require the use of a VPN when connecting from off campus.

If you cannot find the answers here, you are urged to contact UCSB Enterprise Technology Services (ETS) at:

https://www.it.ucsb.edu/pulse-secure-campus-vpn

For additional support or Troubleshooting, you can contact ETS support at:

ets-info@ucsb.edu

VPN Does not Work on Unsupported Operating Systems.

Older operating systems such as windows XP & 7 and Mac OSx Sierra 10.12 and before will be blocked from all campus networks including the VPN for security reasons

Betas and experimental limited release operating systems oftentimes do not allow third party applications to run. Windows Polaris & Andromeda and Mac OSx Big Sur 11.x currently do not allow the VPN to function as of October 2020.

see https://www.it.ucsb.edu/pulse-secure-campus-vpn/get-connected-vpn for a full list of clients available.

VPN Connections are not Allowed on Certain Subnets

Some Internet Service Providers (ISPs) block some or all VPNs. ECI has no control over non-university networks and cannot guarantee a secure connection on them.

If you are connecting to a hotspot set up by your phone to get around blocks, you will have to enable the VPN again after connecting to the hotspot.

Other Secure Networks

VPN connections turn an insecure connection into a secure connection, they do not work well on already secure networks like any of the wired networks. If you are testing your VPN, please disconnect your wired cable and connect to wireless web (unencrypted wifi) first.

VPN Connections take a While to set up

If you are connecting to the VPN, please give a full minute (60 Mississippis) to allow the connection to settle. If you try to connect to secure services as soon as you see the green arrow on the Pulse secure icon, you will get adapter errors.

VPN Connections take a While to disconnect

It is highly recommended to disconnect from all software using the VPN such as GUS, Filemaker, and Samba Shares before disconnecting from the VPN itself. If done out of order, you may have to restart your computer to re-establish your normal internet connection.

VPN Connection Icon Looks Weird

The following is from the ETS email on August 1st

"Our campus VPN vendor, Pulse Secure, was purchased by a software company called Ivanti in December of 2020. The transition has been largely transparent thus far. However, after July 22, 2022, some users may notice that their mobile clients (Android and iOS) have updated and changed version number, icon, and name. Previously, the Pulse Secure app appeared as a dark icon with a green stylized S. The new Ivanti Secure Access Client app appears as an orange icon with a key above a hand on an orange background. We will soon be updating the campus VPN documentation to reflect these changes."

VPN Connections can not be used with Older VPNs

If you have older Tunnelblick or OpenVPN or even Pulse Secure version 9.1.14 and before connections already configured on your computer, you will have to delete those first. This is because these are older versions of the VPN and share install locations. Multiple Pulse Secure VPN connections, such as from multiple UC campuses or from Cal State Universities will not cause an issue provided the other connections are reasonably up to date (9.1.15 and later as of August 2022).

Please note you may still see these icons reused for other Applications. For example: on Chromebooks, be sure you are deleting the old VPN and not your current EDUROAM configuration profile when removing the lock icon. The Tunnel icon is usually labeled clearly VPN.

VPN Connections must be allowed to run.

If you did not click ok on first launch, you will have to take the following steps on a Mac to run the VPN
Click the Apple menu at the top left of your desktop.
Click System Preferences.
Click Security & Privacy.
Click the lock to make changes (if you are on Catalina, otherwise skip this step as unlocking is not required).
Click the General tab.
Under Allow apps downloaded from, select App Store and identified developers
Look for the following message: System software from developer "Pulse Secure LLC" was blocked from loading.
Next to the message click Allow to enable the extension.
Click the lock icon to the locked position to save changes.
Close the Security & Privacy window.
The kernel extension has been authorized and full functionality of the Pulse Desktop client should be available.

If you have a Computer running Catalina 10.15 there may be additional steps

Click System Preferences.
Click Security & Privacy.
Click the lock to make changes
Click the General tab.
Under Allow apps downloaded from, select App Store and identified developers
Look for the following message(s): "Kernel extension not authorized" or "...blocked from opening because it is not from an identified developer"
Next to the message click Open Anyway to enable the extension
The kernel extension has been authorized and full functionality of the Pulse Desktop client should be available.
Click the lock icon to the locked position to save changes.
Close the Security & Privacy window.
Restart your computer (important!)
Open the Pulse Secure client and try connecting to the VPN

VPN Connections Require Multi Factor Authentication...

If you are Getting no Push Notification From Duo...

Typing the word 'push' (without quotes) in the VPN client secondary login field should result in a Duo Push being sent to your 1st registered device.

You may also open the pulse app on your phone, go to UCSB, and click on it (or arrow next to it). A 6 digit number will appear that you can use to login to pulse secure at the SMS step.

If you need to Sign up for Duo...

https://www.it.ucsb.edu/mfa/getting-started-mfa-duo

VPN Connections must be allowed through your Firewall(s) if using Outbound Firewall Rules

The UCSB VPN service has a specific IP range that will need to be allowed if you have a firewall blocking most IPs with a firewall. Note that by default outbound connections are allowed on most Windows and Mac Computers, outbound rules have to be manually enabled by a user or Administrator. Please also note that some routers have firewalls that need to be configured as well.

UCSB VPN Service assigns addresses on the following subnets:
- 128.111.61.0/24 (128.111.61.1-128.111.61.254)
- 128.111.64.0/22 (128.111.64.1-128.111.67.254)
- 128.111.180.0/22 (128.111.180.1-128.111.183.254)
- 128.111.188.0/22 (128.111.188.1-128.111.191.254)

Campus VPN range was expanded multiple times in March 2020 by to include the 65-67, 180-183, and 188-191 subnets.

VPN must also be allowed through the NAT part of your Firewall if you want to Enable Remote Access to your Computer.

Please note that not all firewalls have a NAT option so this may not apply to you.

This is related to the above issue. NATs hid your IP address. Which means that even if you configured the firewall correctly above, but forgot to add an exception to the NAT, you get into a situation where some things work and others do not.

In general if the firewall is enabled correctly but no NAT exception is made, users will be able to connect to samba shares and financial software, but will not be able to remote into their computer, receive remote connections from other people, receive remote software updates or do anything that involves a remote computer pushing stuff to their computer instead of their computer drawing something from a remote computer.

Troubleshooting:

Visit this page to confirm that you have connected successfully to the Campus VPN Service and it says "on campus address"
In google search type "what is my IP"
1. If it says an IP that begins with 128.111.xxx.xxx your router firewall is configured properly
2. If it says an IP of 192.xxx.xxx.xxx or a mix of letters and numbers that looks like a IPV6 address, then your firewall is not configured correctly.
You will then want to check both your computer and router firewall settings and make sure BOTH the incoming and outgoing firewall configurations allow the VPN subnets listed above in AND out. Many windows style firewalls have separate rules for incoming vs outgoing and a third category for NAT (in order to hid or unhide your IP address from remote computers)
You will then want to retest step 2).
You may have to disable the NAT option entirely in some rare cases.

VPN Freezes

The campus Pulse Secure VPN has an idle timeout of 60 minutes and a max session of 720 minutes (12 hours).

GUS, Filemaker and Business Financial Service's encrypted communications are not recognized as user activity. It is recommended you do some non encrypted activity every 30 minutes such as checking your email in order to avoid idle timeouts. If GUS, Filemaker, or BFS clients do not have an active connection to their respective servers, the clients freeze until such time as a connection is restored.

VPN not Restarted After Updating Application or System Security

Quit pulse secure application and relaunch it, either via status bar or applications/programs for mac/pc, then click ok.

If connect button is still not showing, right click on UCSB Remote Access, then click Connect

This is often the result of having recently installed a VPN update or a system security update. A restart may be required to permanently fix this issue.

If you are still facing issues with VPN connections, please see the following links for more information: