Hello Merakians,
I have seen a lot of VPN posts lately and I would like to share with you a set of videos I made regarding VPN configuration and troubleshooting. These videos go from the configuration of any VPN to the troubleshooting for any case.
All the scenarios I covered can help you to solve 99% percent of all the cases you might have regarding VPN with Meraki Support. It shows how to use the tools and the pcaps in order to understand where the problem is coming from.
I strongly recommend the one regarding AutoVPN. Since Meraki uses a proprietary configuration to create the AutoVPN tunnel, sometimes we just drop the towel and reach out to Support if the tunnel is not up. I covered how to identify every aspect of the AutoVPN traffic flow, differentiate the different problems, and how to fix it.
I hope these videos can help you to troubleshoot your VPN scenarios before raising a case.
Configuration:
ClientVPN - https://youtu.be/tGP_OLRgOck
Non-Meraki VPN - https://youtu.be/BwCtY3rln4c
Troubleshooting:
ClientVPN - https://youtu.be/quAQslnQo9Q
Non-Meraki VPN - https://youtu.be/WJNUImcWfWg
AutoVPN - https://youtu.be/cE3HtcvxlqM
Great videos! Very well done. I would highly encourage people to check out the other videos on this channel, @Joan_P has some really great content.
Wow, good effort!
I'm also going to give one of my tools a plug - the most advanced tool for building scripts to setup client VPN connections for Windows 10.
https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html
It can do complex things like split VPN, VPN exclusions, split DNS, and knows how to generate exclusions for full tunnel configs for common things like Cisco WebEx and Office 365.
Wow, that was a cool tool!
@Joan_P I like the videos...really well done!
Would have helped me about 4 month ago, when I had problems with Client VPN.
Thanks for the great videos
Thanks for you videos @Joan_P I have an issue that I hope you can help me.
I've got a MX64 with 2 ISP. On WAN1 I have a static IP and on WAN2 I have another ISP wit dynamic IP.
The client VPN are setup with the DynDNS and there is no problem to connect EXCEPT when WAN 1 fails.
The clientes inside the MX have no problems to navigate, but all VPN clientes can't establish the tunnel, May you sugggest something to look at?
Regards
Hi Richard
Thanks for you post,
Fortunately, there has not been more fails with my ISP 1, but the answer to your questions is Yes for all.
This is a very strange behaviour
If you're on windows you can make a powershell script for your clients to just click and add the VPN to their machine.
Hey Trunolimit,
Would you mind on sharing on how to created "a powershell script for your clients to just click and add the VPN to their machine". I have over 200+ users and this would make my job a lot simpler.
@dougProCast check out my post.
If you use Active Directory, then run the script via group policy instead.
thank you
@PhilipDAth Getting following error while running the power shell script:
Unable to create XYZ profile: A general error occurred that is not covered by a more specific error code
@FakrulAlamDA it sounds like something is wrong with that windows 10 machine. Perhaps try checking that all the Windows feature updates are installed.
Whoa that's amazing. I was going to make a video showing people how to use powershell but this website is way better.
quick question. we are having issues with being able to assign permissions via active directory once a client has connected to the VPN. we are getting complaints that people are unable to access folders they should have access to once on the VPN.
any idea what's up.
>we are getting complaints that people are unable to access folders they should have access to once on the VPN.
Are you by chance using different credentials for the client VPN than are used to access the Windows Resources?
If so you need to edit raspphone.pbk and set "UseRasCredentials" to 0. Otherwise what happens is the VPN credentials are used to access Windows resources, rather than the Windows credentials.
@Nash has a great script that does this automatically.
https://github.com/gammacapricorni/happy-meraki-client-vpn/blob/master/AddMerakiVPN.ps1
You shouldn't get that problem if you use my client VPN generator because it uses the newer system. So you could also just change over ...
Our VPN authenticates using AD so I don't think a difference in credentials is what's the problem.
For client VPN - are you definitely giving out only your AD controllers for the DNS servers?
Does it make any difference whether you just host the hostname or the FQDN name (which could hint at the connect DNS suffix being wrong)?
Yeah we are handing out only the AD server as the DNS.
I’m looking to grab some logs from the AD server via our sysdamin but I fear I wouldn’t know what to look for. I’m assuming there’s an error log when someone tries to access a resource they don’t have access to.