Meraki

Community

Client VPN Issue

Teechan
Here to help
‎Feb 5 2019 3:57 PM
‎Feb 5 2019 3:57 PM

Client VPN Issue

Came across a user who was unable to establish a vpn connection on his Dell laptop, running Win10. After entering his username and password, the user was stuck in a "connecting" state. 

 

MX Appliances did update a few days ago, however all other users could connect to vpn without issue. 

Dell laptop was newly imaged to Win10

Meraki gave multiple errors - 

Feb 5 13:07:45 Non-Meraki / Client VPN negotiationmsg: failed to begin ipsec sa negotiation.
Feb 5 13:07:45 Non-Meraki / Client VPN negotiationmsg: no configuration found for 6.1.0.1.
    
Feb 5 13:06:15 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport xxxxxx spi=60769056(0x39f4320)
Feb 5 13:06:15 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport xxxxxx spi=213759384(0xcbdb598)
Feb 5 13:06:15 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA xxxxxx
Feb 5 13:06:14 Non-Meraki / Client VPN negotiationmsg: invalid DH group 19.
Feb 5 13:06:14 Non-Meraki / Client VPN negotiationmsg: invalid DH group 20.

DH 19&20 Most commonly for me, when a client didn't have Client VPN configured to properly authenticate with AD etc - Since it only affected one user, this is not the issue

 

Confirmed FW wasn't blocking

Confirmed that adapter settings were correct

Confirmed PSK was accurate

Uninstalled/Reinstalled all Miniports including registry entries

Confirmed TLS settings

Confirmed Dell apps Smartbyte and Killer Control Center not installed

 

No dice. 

 

Came across https://www.geekshangout.com/vpn-connection-hangs-in-connecting/#comment-32375 

 

This article allowed me to connect the user. Win10 issue FTW.

 

Just figured I'd post to save you all the time.

 

 

12 Replies 12
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 5 2019 4:02 PM
‎Feb 5 2019 4:02 PM

If it is a Dell machine also means sure you remove SmartByte. 

 

https://community.meraki.com/t5/Network-Wide/Dell-Laptops-and-VPN-access/m-p/12826#M321

0 Kudos
In response to PhilipDAth
Teechan
Here to help
‎Feb 5 2019 4:20 PM
‎Feb 5 2019 4:20 PM

Thanks Philip, it was not installed on user's laptop.

0 Kudos
Bonifas
Here to help
‎Feb 6 2019 2:50 AM
‎Feb 6 2019 2:50 AM

Same thing happens on our set of Dell laptops too with Windows 10 Pro.

 

It does not connect even from the VPN page.

 

After a long trying to connect "connecting" it fails with the following error "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer"

 

Any suggestions? Or work arounds?

 

All the steps in the troubleshooting page were performed, but no luck.

In response to Bonifas
NolanHerring
Kind of a big deal
‎Feb 6 2019 6:24 AM
‎Feb 6 2019 6:24 AM

If you perform a Windows 10 update, it ruins the preconfigured VPN settings. Microsoft resets the authentication setting to MS-CHAPv2 instead of PAP after an update is done. Awesome isn't it?

Nolan Herring | nolanwifi.com
TwitterLinkedIn
In response to NolanHerring
Teechan
Here to help
‎Feb 7 2019 4:43 PM
‎Feb 7 2019 4:43 PM

@NolanHerring Very awesome. 

0 Kudos
In response to NolanHerring
Bonifas
Here to help
‎Feb 7 2019 9:34 PM
‎Feb 7 2019 9:34 PM

Hi Nolan,

 

This is a brand new Dell latitude 3490 laptop.

 

No updates were done.

 

Thanks,

Bonifas

0 Kudos
In response to Bonifas
Nash
Kind of a big deal
‎Feb 6 2019 6:42 AM
‎Feb 6 2019 6:42 AM

Bonifas - that's 789, right? 

 

Assuming this is a one PC error and you know the PSK/all settings are right: I have had luck before with uninstalling the WAN Miniport L2TP device under Device Manager, then have DM scan for new hardware. Sometimes I'm lazy and just reboot instead, because I have bad habits.

 

If you don't see the WAN Miniports, click View and select Show Hidden Devices. Make sure you don't uninstall the drivers themselves, 

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to Bonifas
Teechan
Here to help
‎Feb 7 2019 4:42 PM
‎Feb 7 2019 4:42 PM

@Bonifas What errors are you getting in Meraki? You confirmed that the adapter settings are reflecting the correct security configuration?

 

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration 

In response to Teechan
Bonifas
Here to help
‎Feb 7 2019 9:36 PM
‎Feb 7 2019 9:36 PM

@Teechan 

 

The adapter settings keeps reverting back to MS CHAP V2 though PAP is selected.

 

Thanks,

Bonifas

0 Kudos
In response to Bonifas
Nash
Kind of a big deal
‎Feb 8 2019 8:46 AM
‎Feb 8 2019 8:46 AM

@Bonifas Is the end user saving their credential? This can also cause Win10 to change the password protocol away from PAP. Since my help desk has told end users to no longer save credentials, but to enter it every time, it's reduced the incidence of this behavior.

 

Assuming an AD environment where all client VPN users have an AD account... It's easier on the end user if you can integrate the VPN with their AD account, either via RADIUS or the straight up AD integration. We typically use RADIUS, since not all customers are willing to get a valid certificate for their AD server.

 

You can also try changing the encryption level to Optional. Windows 10 does not actually support Required encryption for PAP. It will assume the encryption level is correct and then helpfully change the password protocol to one that supports required encryption.

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
superego
Just browsing
‎Nov 14 2019 11:29 AM
‎Nov 14 2019 11:29 AM

My Home VPN was working before using Windows 10 Laptop and Desktop.  Then after the updates it stopped working.  Modified the VPN Properties and allowed the protocols below and it started working again.

 

vpn-meraki.JPG

0 Kudos
seniorcit
Conversationalist
‎Feb 24 2020 2:23 PM
‎Feb 24 2020 2:23 PM

I'm having what looks like the same issue ever since a W-10 Pro 64b update on Feb 12 or Feb 16

 

seniorcit_0-1582582615230.png

 

I can no longer login to this vpn on my W-10 PC.  I tried recreating the vpn 5 times with the same error message after a long negotiating attempt.  The same login information works on my W-7 laptop without fail.

 

seniorcit_1-1582582833083.png

 

I had changed no settings on the W-10 Pro 64b machine when the error began appearing.  I looked through all the 'fixes' listed in this discussion and cannot find a fix.  I've thought of trying to restore my Pc to a date earlier in Feb but have some other valuable data I don't want to lose.  HELP!!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.