3rd party VPN app blocked blocked by MX?

NMERAKI
Comes here often

3rd party VPN app blocked blocked by MX?

 

I am trying to connect an Ipad via a 3rd party VPN app (GlobalProtect) to an external large enterprise and it appears to be blocked by the MX.  Tried a variety of Layer 3 settings, forwarding, whitelisting, etc and no luck.  Only current firewall rule is Layer 3 default rule (Any, Any, Any...). 

Someone have ideas why this wouldn't work?  Ipad will connect via GP on other wireless networks, other VPN clients will connect on this network.  

 

Thanks!

 

3 Replies 3
MilesMeraki
Head in the Cloud

Have you verified that the MX is blocking the traffic? Have you taken packet captures on the LAN/WAN interface of the MX and can see that the traffic isn't passing through?

 

If not, I'd first get in touch with Meraki support who can help you troubleshoot in real-time to confirm if the MX is blocking the traffic.

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
PhilipDAth
Kind of a big deal
Kind of a big deal

I concurr with @MilesMeraki - you need to verify the MX is actually blocking the traffic.

NMERAKI
Comes here often

On the packet capture, here's some samples... 

 

xxx.xxx.xx. is the destination IP the vpn client is attempting to connect to... 

 

 xxx.xxx.xx.198.1935: Flags [SEW], seq 2856775745, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 489566124 ecr 0,sackOK,eol], length 0

 

xxx.xxx.xx.198.1935: Flags [.], ack 1, win 65535, options [nop,nop,TS val 489566145 ecr 1006200408], length 0

 

next line is: 

 

xxx.xxx.xx.198.1935: Flags [P.], seq 1:235, ack 1, win 65535, options [nop,nop,TS val 489566146 ecr 1006200408], length 234

 

later there's 

 

xxx.xxx.xx.163.443: Flags [SEW], seq 969374625, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 489566268 ecr 0,sackOK,eol], length 0

 

Again, vpn connects from ipad without issue on other wifi networks.  In theory, it could be the cable modem but that has no firewall, dhcp, etc.  

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels