Are you still having VPN issues?

Joan_P
Meraki Employee
Meraki Employee

Are you still having VPN issues?

Hello Merakians, 

I have seen a lot of VPN posts lately and I would like to share with you a set of videos I made regarding VPN configuration and troubleshooting. These videos go from the configuration of any VPN to the troubleshooting for any case. 

 

All the scenarios I covered can help you to solve 99% percent of all the cases you might have regarding VPN with Meraki Support. It shows how to use the tools and the pcaps in order to understand where the problem is coming from. 

 

I strongly recommend the one regarding AutoVPN. Since Meraki uses a proprietary configuration to create the AutoVPN tunnel, sometimes we just drop the towel and reach out to Support if the tunnel is not up. I covered how to identify every aspect of the AutoVPN traffic flow, differentiate the different problems, and how to fix it. 

I hope these videos can help you to troubleshoot your VPN scenarios before raising a case. 

Configuration: 

ClientVPN - https://youtu.be/tGP_OLRgOck

Non-Meraki VPN - https://youtu.be/BwCtY3rln4c

 

Troubleshooting:

 

ClientVPN - https://youtu.be/quAQslnQo9Q

Non-Meraki VPN - https://youtu.be/WJNUImcWfWg

AutoVPN - https://youtu.be/cE3HtcvxlqM

 

 

 

18 REPLIES 18
CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Great videos! Very well done. I would highly encourage people to check out the other videos on this channel, @Joan_P has some really great content. 

PhilipDAth
Kind of a big deal
Kind of a big deal

Wow, good effort!

 

I'm also going to give one of my tools a plug - the most advanced tool for building scripts to setup client VPN connections for Windows 10.

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html 

It can do complex things like split VPN, VPN exclusions, split DNS, and knows how to generate exclusions for full tunnel configs for common things like Cisco WebEx and Office 365.

Wow, that was a cool tool!

rwiesmann
A model citizen

@Joan_P  I like the videos...really well done!

Would have helped me about 4 month ago, when I had problems with Client VPN.

Thanks for the great videos

CSegovia
Here to help

Thanks for you videos @Joan_P I have an issue that I hope you can help me.

I've got a MX64 with 2 ISP. On WAN1 I have a static IP and on WAN2 I have another ISP wit dynamic IP.

The client VPN are setup with the DynDNS and there is no problem to connect EXCEPT when WAN 1 fails.

The clientes inside the MX have no problems to navigate, but all VPN clientes can't establish the tunnel, May you sugggest something to look at?

Regards

Hi CSegovia,

I assume you are using WAN1 as primary?
Are you using the inbuild DyDNS from the dashboard?
Check when WAN1 fails if the DNS is resolve to the WAN2 ip address first.

Hi Richard

Thanks for you post,

 

Fortunately, there has not been more fails with my ISP 1, but the answer to your questions is Yes for all.

This is a very strange behaviour

trunolimit
Building a reputation

If you're on windows you can make a powershell script for your clients to just click and add the VPN to their machine.

 

 

Hey Trunolimit,

 

Would you mind on sharing on how to created "a powershell script for your clients to just click and add the VPN to their machine".  I have over 200+ users and this would make my job a lot simpler. 

 

 

@dougProCast  check out my post.

https://community.meraki.com/t5/Security-SD-WAN/Are-you-still-having-VPN-issues/m-p/85469/highlight/... 

 

If you use Active Directory, then run the script via group policy instead.

 

thank you

@PhilipDAth Getting following error while running the power shell script:

 

Unable to create XYZ profile: A general error occurred that is not covered by a more specific error code

@FakrulAlamDA it sounds like something is wrong with that windows 10 machine.  Perhaps try checking that all the Windows feature updates are installed. 

trunolimit
Building a reputation

Whoa that's amazing. I was going to make a video showing people how to use powershell but this website is way better.

 

quick question. we are having issues with being able to assign permissions via active directory once a client has connected to the VPN. we are getting complaints that people are unable to access folders they should have access to once on the VPN.

 

any idea what's up.

>we are getting complaints that people are unable to access folders they should have access to once on the VPN.

 

Are you by chance using different credentials for the client VPN than are used to access the Windows Resources?

 

If so you need to edit raspphone.pbk and set "UseRasCredentials" to 0.  Otherwise what happens is the VPN credentials are used to access Windows resources, rather than the Windows credentials.

@Nash has a great script that does this automatically.

https://github.com/gammacapricorni/happy-meraki-client-vpn/blob/master/AddMerakiVPN.ps1 

 

 

You shouldn't get that problem if you use my client VPN generator because it uses the newer system.  So you could also just change over ...

 

trunolimit
Building a reputation

Our VPN authenticates using AD so I don't think a difference in credentials is what's the problem.

For client VPN - are you definitely giving out only your AD controllers for the DNS servers?

 

Does it make any difference whether you just host the hostname or the FQDN name (which could hint at the connect DNS suffix being wrong)?

trunolimit
Building a reputation

Yeah we are handing out only the AD server as the DNS. 

I’m looking to grab some logs from the AD server via our sysdamin but I fear I wouldn’t know what to look for. I’m assuming there’s an error log when someone tries to access a resource they don’t have access to.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels