Cradle

Troubleshooting

Cradle with a VPN

Most enterprise VPNs work fine with Cradle, but some configurations cause one-way audio, choppy calls, or sign-in failure. Here's what to ask your IT team to check.

Cradle works through most enterprise VPNs without any setup. A small number of VPN configurations cause specific problems: one-way audio, choppy calls, or sign-in failures that go away the moment you disconnect the VPN. This article covers what's going wrong and what to ask your IT team for.

Quick checks (try these first)

  1. Try a call with the VPN disconnected. If the call sounds fine without the VPN, the VPN is the cause. Useful information, even if you can't permanently turn it off.
  2. Try a different VPN endpoint or region. If your VPN client lets you pick a location, choose one closer to where you are.
  3. Check status.cradle.io. If Cradle itself is having an issue, the VPN is innocent.

How VPNs interfere with calls

A VPN takes the traffic that would normally go straight out to the internet and routes it through your organisation's network first. For email and browsing, that's fine, those tolerate a bit of extra delay. Voice doesn't.

Three common patterns:

  • All traffic through the VPN, endpoint a long way away. Your call audio goes to your VPN endpoint, back out to the internet, to the other person, and the same round trip back. The further your endpoint is from where the call is going, the more latency stacks up. Symptom: noticeable delay, sometimes choppy audio.
  • Split tunnelling configured but Cradle's traffic not split off. Your VPN supports sending some traffic outside the tunnel (the "split"), but Cradle isn't on the list. Symptom: same as above, despite split tunnelling supposedly being on.
  • VPN DNS not resolving every Cradle hostname. Cradle reaches several services to sign you in, make calls, and sync your contacts. If your VPN's DNS server can't resolve all of them, you'll see specific failures: sign-in fails, or calls connect but messages don't sync, or vice versa.

What to try

Disconnect the VPN for calls (the simple option)

If your IT policy allows it, the cleanest fix is to disconnect the VPN before opening Cradle. Cradle doesn't need the VPN to work; it doesn't need to reach anything on your corporate network.

This works well when:

  • You're working remotely and the VPN is only there for occasional internal-tool access.
  • You can reconnect the VPN when you need a corporate resource and disconnect for calls.

It doesn't work when your organisation requires the VPN to be on at all times, in which case keep reading.

Ask IT to split-tunnel Cradle off the VPN

"Split tunnelling" lets some traffic go through the VPN and some traffic go straight to the internet. Voice calls strongly prefer the straight-to-internet path.

If your VPN supports split tunnelling, this is the most common fix for "VPN is making my Cradle calls bad". Your IT team can configure it.

What to ask for:

  • "Can you split-tunnel the connections Cradle makes outside the VPN?"
  • The detailed list of which hostnames and ports to split off is in General networking guidelines. Point your IT team at that article; it has everything they need.

Use a VPN endpoint near you

If your VPN client lets you choose which endpoint to connect to, pick one geographically close to you. The closer the endpoint, the less latency the round trip adds.

For example, if you're in Auckland and your VPN defaults to a London endpoint, look for an Australian or New Zealand endpoint instead. Not all corporate VPNs offer a choice, but check.

Try a different VPN protocol

Some VPN clients let you pick between protocols (OpenVPN, WireGuard, IKEv2, IPsec). They behave differently for voice. If you're seeing choppy audio specifically with one protocol, ask IT whether a different one is available for your account.

"Sign-in fails the moment I connect to the VPN"

If Cradle works perfectly off the VPN but fails to sign in the moment you connect:

  • Your VPN's DNS may not be resolving every hostname Cradle needs. Specifically, the Google or Microsoft sign-in services may not be reachable from inside the VPN.
  • Ask your IT team to confirm that Google or Microsoft sign-in works for other apps inside the VPN. If those fail too, the issue is broader than Cradle.

"Audio comes through one way only"

One-way audio is a classic firewall-and-VPN symptom. Voice audio uses two streams (you-to-them and them-to-you). If your VPN's firewall blocks one stream while letting the other through, you hear them fine but they don't hear you, or the other way around.

  • Try a call without the VPN. If audio is two-way without it, the VPN's firewall rules are the cause.
  • Ask IT to confirm Cradle's voice traffic is allowed in both directions through the VPN. The networking article has the details.

What's in the deeper article

General networking guidelines has the full list of what to whitelist and what to disable on the network side. Send your IT team there if they want to set up a permanent fix rather than working around the symptoms.

Still stuck?

If you've tried disconnecting the VPN, asked IT about split tunnelling, and Cradle still misbehaves with the VPN on:

  • Note your VPN product (Cisco AnyConnect, NordLayer, Fortinet, etc.).
  • Note the symptom: no sign-in, one-way audio, choppy audio, dropped calls.
  • Email help@cradle.io with both. We'll work through it with you and your IT team.
  • Cradle support is open Monday to Friday, 8:30 am – 5:00 pm New Zealand time.

Related

Related articles