Client VPN Initial Connection Problem

Getting noticed

Client VPN Initial Connection Problem



I've problem in Client VPN for initial connection. I've checked all the credentials and shared secret inputted on my Mac device, but still won't connect. I can connect to another network in the same organization with the same credentials but not this one. 


My MX device is sit behind the NAT device. I know that the NAT device must forward the UDP port 500 and 4500 to make it work. The site to site VPN can connect successfully, does this mean that the client VPN also supposed to be connect successfully cause the UDP port 500 and 4500 has been forwarded successfully on the site to site VPN ? What should I do to make this client VPN work ? 



6 Replies 6
Kind of a big deal
Kind of a big deal

The client VPN troubleshooting doc is pretty good.

Troubleshooting Client VPN - Cisco Meraki


As you mentioned, port forwarding UDP 500 and 4500 is key.

I suggest checking the MX event log to see if it's getting the client request.
The details are under the heading " The MX is Not Receiving the Client VPN Connection Attempt"

It actually sounds like you've overlapped ports for the client VPN and the S2S VPN.
Take a look at: Site-to-site and Client VPN Port Overlap with Manual port Forwarding rules - Cisco Meraki

Hi Brash, 


I did not set the manual port forwarding rules in S2S VPN, so there's no overlapping ports. 


The MX event log is also do not record the log.


What value do I need to set on the LAN IP of the firewall port forwarding rules ? Because when I tried to insert the LAN IP of MX it still not working. 


Uplink : Internet 1

Protocol : UDP

Public Port : 500 and 4500

LAN IP : ?? (What do I need to fill on this section)

Local Port : 500 and 4500

Allowed Remote IPs: Any

The port forwarding needs to be configured on the upstream NAT device (assumedly firewall).
UDP 500 and 4500 need to be forwarded to the MX's WAN interface IP address.

I think I found the problem already, but it's kinda weird.


I try to disable the S2S VPN and then test the client VPN connection again and now it's working. 


But when I try to enable the S2S VPN again, the client VPN is still working. Isn't it weird ? Is it because of the cached before ? 

Where are you testing the client VPN from?
Inside your network (across the S2S VPN) or outside of your network?
Can you show the S2S VPN settings?

Outside my network. 


Attached is my S2S VPN settings. 


Screen Shot 2021-12-03 at 10.25.26.png

Get notified when there are additional replies to this discussion.