I have a realm and VPN tunnel policy setup and applied to a role. This was working a few days ago and I had to revert the SA VM to an earlier snapshot. None of the networking has changed.
Here is some details of my setup.
Under Network>Configuration - IP Address filter is set to *
VPN Tunnel Server IP Address is set to 192.168.1.101 (this is different than the internal/extneral port IPs.)
Under resource profiles my VPN tunnel policy is the default *:*, applied to all roles.
Under connection profiles, I have an ipv4 pool of 192.168.1.220-192.168.1.230
Manually setting DNS server and DNS suffix
When I connect via the Pulse client for Android, the user authenticates but then I see Status>Connecting or Reconnecting. No IP address is ever assigned. I see nothing in the trace logs in terms of trying to grab an IP address.
Solution - This issue appeared to be because T-Mobile devices have switched their default connectivity method to ipv6 after an update to TMO's network. IPv6 is not configured on our concentrator.
The way that we discovered this was by connecting over Wi-Fi on a mobile device and it immediately obtained an IP Address.