cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Client VPN Issue

Here to help

Client VPN Issue

Came across a user who was unable to establish a vpn connection on his Dell laptop, running Win10. After entering his username and password, the user was stuck in a "connecting" state. 

 

MX Appliances did update a few days ago, however all other users could connect to vpn without issue. 

Dell laptop was newly imaged to Win10

Meraki gave multiple errors - 

Feb 5 13:07:45 Non-Meraki / Client VPN negotiationmsg: failed to begin ipsec sa negotiation.
Feb 5 13:07:45 Non-Meraki / Client VPN negotiationmsg: no configuration found for 6.1.0.1.
    
Feb 5 13:06:15 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport xxxxxx spi=60769056(0x39f4320)
Feb 5 13:06:15 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport xxxxxx spi=213759384(0xcbdb598)
Feb 5 13:06:15 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA xxxxxx
Feb 5 13:06:14 Non-Meraki / Client VPN negotiationmsg: invalid DH group 19.
Feb 5 13:06:14 Non-Meraki / Client VPN negotiationmsg: invalid DH group 20.

DH 19&20 Most commonly for me, when a client didn't have Client VPN configured to properly authenticate with AD etc - Since it only affected one user, this is not the issue

 

Confirmed FW wasn't blocking

Confirmed that adapter settings were correct

Confirmed PSK was accurate

Uninstalled/Reinstalled all Miniports including registry entries

Confirmed TLS settings

Confirmed Dell apps Smartbyte and Killer Control Center not installed

 

No dice. 

 

Came across https://www.geekshangout.com/vpn-connection-hangs-in-connecting/#comment-32375 

 

This article allowed me to connect the user. Win10 issue FTW.

 

Just figured I'd post to save you all the time.

 

 

10 REPLIES 10
Kind of a big deal

Re: Client VPN Issue

If it is a Dell machine also means sure you remove SmartByte. 

 

https://community.meraki.com/t5/Network-Wide/Dell-Laptops-and-VPN-access/m-p/12826#M321

Here to help

Re: Client VPN Issue

Thanks Philip, it was not installed on user's laptop.

Conversationalist

Re: Client VPN Issue

Same thing happens on our set of Dell laptops too with Windows 10 Pro.

 

It does not connect even from the VPN page.

 

After a long trying to connect "connecting" it fails with the following error "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer"

 

Any suggestions? Or work arounds?

 

All the steps in the troubleshooting page were performed, but no luck.

Highlighted
Kind of a big deal

Re: Client VPN Issue

If you perform a Windows 10 update, it ruins the preconfigured VPN settings. Microsoft resets the authentication setting to MS-CHAPv2 instead of PAP after an update is done. Awesome isn't it?

Nolan Herring | nolanwifi.com
TwitterLinkedIn
Head in the Cloud

Re: Client VPN Issue

Bonifas - that's 789, right? 

 

Assuming this is a one PC error and you know the PSK/all settings are right: I have had luck before with uninstalling the WAN Miniport L2TP device under Device Manager, then have DM scan for new hardware. Sometimes I'm lazy and just reboot instead, because I have bad habits.

 

If you don't see the WAN Miniports, click View and select Show Hidden Devices. Make sure you don't uninstall the drivers themselves, 

Here to help

Re: Client VPN Issue

@Bonifas What errors are you getting in Meraki? You confirmed that the adapter settings are reflecting the correct security configuration?

 

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration 

Here to help

Re: Client VPN Issue

@NolanHerring Very awesome. 

Conversationalist

Re: Client VPN Issue

Hi Nolan,

 

This is a brand new Dell latitude 3490 laptop.

 

No updates were done.

 

Thanks,

Bonifas

Conversationalist

Re: Client VPN Issue

@Teechan 

 

The adapter settings keeps reverting back to MS CHAP V2 though PAP is selected.

 

Thanks,

Bonifas

Head in the Cloud

Re: Client VPN Issue

@Bonifas Is the end user saving their credential? This can also cause Win10 to change the password protocol away from PAP. Since my help desk has told end users to no longer save credentials, but to enter it every time, it's reduced the incidence of this behavior.

 

Assuming an AD environment where all client VPN users have an AD account... It's easier on the end user if you can integrate the VPN with their AD account, either via RADIUS or the straight up AD integration. We typically use RADIUS, since not all customers are willing to get a valid certificate for their AD server.

 

You can also try changing the encryption level to Optional. Windows 10 does not actually support Required encryption for PAP. It will assume the encryption level is correct and then helpfully change the password protocol to one that supports required encryption.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.