Can not seem to get my merkai mx84 to vpn server

Frank1
Comes here often

Can not seem to get my merkai mx84 to vpn server

I enable the client vpn on , client vpn subnet to 192.168.8.0/24, dns to google dns, no wins server, secret id, add my self as merkai vpn user

 

then I setup my android base on the following documentation

https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_OS_Configuration#Android

 

yet it will not connect  what am I missing 

 

thanks in advance

5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

What is actually going wrong?

 

Do you get a username/password prompt?

Does it accept your username/password?

Does perhaps traffic just fail to parse?

PhilipDAth
Kind of a big deal
Kind of a big deal

Also does your MX connected directly to the Internet and have a public IP address on its WAN port, or is it behind something else doing NAT?


@PhilipDAth wrote:

Also does your MX connected directly to the Internet and have a public IP address on its WAN port, or is it behind something else doing NAT?\Its not behind a nat but not dircet it a pppoe modem that connect to internet and the MX is connect to it  but I do nto think its bridge \

]

internet ----- pppoe modem with (pppoe accout/password)------MX-----lan

 

we can surf but not vpn back in



You are going to have to make sure that the ISP device provided is allowing your MX ports for VPN. 

Its not "normal" and some ISPs block those ports. At least, that's what some of our users had to do at their house. 

 

Check out this link here. Do you have any log info that you could provide to assist? 

 

You can find it on the left hand menu in your Dashboard under Network Wide and then Event Log. 

 

Also, please do note that if you are testing your VPN you have to be off your network (the LAN from your diagram) to use the VPN on the Android.

 

Test Here on Internet -----> Modem with Ports 500/4500 UDP Forwarded ----> MX with VPN and Event Log --->LAN

 

 

On the Modem also turn on ICMP on the WAN side. Since the MX is the device communicating from UDP 500/4500, those ports need to be forwarded on any devices upstream of the MX, not on the MX itself. Also, I haven't used it from an Android but from Windows I get a lot of users who do not check the right Auth (PAP) so make sure those settings are spot on too and you should be set. 

 

If it doesn't work, show us some logs and we can help you from there.

 

cta102
Building a reputation

I would suggest that you check the logs to see if there is any sign of attempted connections from the outside world.

 

Filter the SA logs with for the event "All Non-Meraki / Client VPN" that will let you see there is any attempted negotiations occurring along with any refusals due to credentials or misconfigured options.

 

If you see no connection attempts then either the ISP may be blocking VPN connectivity or there the client can't hit the box.

 

Also not wishing to be silly but you have authorised the account to be a VPN client (not that I wouldn't manage to do such a thing the first time I tried setting it up) and (as was said earlier) make sure that you aren't connected to the Meraki network via Wi-Fi

In case it helps here's the sanitised settings from my SA and Android phone that work great via both the mobile network and public hotspots.

SA SideSA SideMeraki Android VPN v3.jpg

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels