Cisco Meraki MX84 - trouble with Client VPN setup

Mazen
Just browsing

Cisco Meraki MX84 - trouble with Client VPN setup

A new client has a Cisco Meraki MX84 installed by a previous IT person. Now they want to implement VPN. I know how to do it (at least I think I do) but for some reason I can't figure why every time I go to save the config I get an error message that says -

There were errors in saving this configuration: 

  • xx.xx.xx.xx is the primary IP address of Internet port 1 and cannot be forwarded.


Currently when I go into Security & SD-WAN then Client VPN it's disabled.
I enabled Client VPN server
Accept the default/Example Subnet 192.168.3.0/24 which is unique and different than the current network
For the DNS server I selected Specify nameservers and for Custom nameserver entered the domain server 192.168.1.x
No WINS servers selected
Entered Shared secret
Authentication, selected Meraki Cloud Authentication

Finally clicked Save at the bottom, then get the above error message mentioned at the top.

I looked everywhere and there is no port forwarding selected. Am I missing something? BTW, I have worked with Cisco ASA before, but this is my first time with Cloud based. It looks simple enough (maybe too simple compared to CLI in Cisco ASA). I hope someone can help. Thanks in advance.

7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal

Most likely, there is some NAT forward you can't see.  Take a look under:

Security @ SD-WAN/Firewall/Forwarding rules

 

Mazen
Just browsing

I looked there and that's what has me confused -

In the Forwarding rules

Port forwarding = There are no port forwarding rules on this network.

1:1 NAT = There are no 1:1 NAT mappings.

1:Many NAT = has Public IP address = x.x.x.x

    Uplink = Internet1

    under this there are 8 rules

 

Thanks.

 

PhilipDAth
Kind of a big deal
Kind of a big deal

>under this there are 8 rules

 

I'm guessing one of those is for udp/500 or udp/4500, which is needed for client VPN.

Mazen
Just browsing

There is only one UDP port it's 5800 the rest are TCP for RDP and one is port 23.and 1603.

 

You would think Meraki would give a better error message that would  point to where the problem is.

 

Thanks

Mazen
Just browsing

Here is another thing I just discovered that is strange and maybe there is a glitch somewhere not related to trying to enable Client VPN. When I click on disable after getting the error message and then client save I get the same error message even though I am clicking disable Client VPN.

 

I don't understand why Cisco thinks I am trying to forward the primary IP address of Internet port 1.

Inderdeep
Kind of a big deal
Kind of a big deal

Did you checked this document and troubleshoot with all steps

https://documentation.meraki.com/MX/Client_VPN/Guided_Client_VPN_Troubleshooting

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
Mazen
Just browsing

I just checked it. This seems to be more for if you already have Client VPN set up, I can't get past enabling and saving configuration, when I do I get the error mentioned before. Also when I am on any other page under Security & SD-WAN and click save I get the same error, makes me wonder if it's not Client VPN related something else going on.

 

I don't understand why it thinks I want the Internet 1 forwarded.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels