Client VPN Issue

Teechan
Here to help

Client VPN Issue

Came across a user who was unable to establish a vpn connection on his Dell laptop, running Win10. After entering his username and password, the user was stuck in a "connecting" state. 

 

MX Appliances did update a few days ago, however all other users could connect to vpn without issue. 

Dell laptop was newly imaged to Win10

Meraki gave multiple errors - 

Feb 5 13:07:45 Non-Meraki / Client VPN negotiationmsg: failed to begin ipsec sa negotiation.
Feb 5 13:07:45 Non-Meraki / Client VPN negotiationmsg: no configuration found for 6.1.0.1.
    
Feb 5 13:06:15 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport xxxxxx spi=60769056(0x39f4320)
Feb 5 13:06:15 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport xxxxxx spi=213759384(0xcbdb598)
Feb 5 13:06:15 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA xxxxxx
Feb 5 13:06:14 Non-Meraki / Client VPN negotiationmsg: invalid DH group 19.
Feb 5 13:06:14 Non-Meraki / Client VPN negotiationmsg: invalid DH group 20.

DH 19&20 Most commonly for me, when a client didn't have Client VPN configured to properly authenticate with AD etc - Since it only affected one user, this is not the issue

 

Confirmed FW wasn't blocking

Confirmed that adapter settings were correct

Confirmed PSK was accurate

Uninstalled/Reinstalled all Miniports including registry entries

Confirmed TLS settings

Confirmed Dell apps Smartbyte and Killer Control Center not installed

 

No dice. 

 

Came across https://www.geekshangout.com/vpn-connection-hangs-in-connecting/#comment-32375 

 

This article allowed me to connect the user. Win10 issue FTW.

 

Just figured I'd post to save you all the time.

 

 

12 REPLIES 12
PhilipDAth
Kind of a big deal
Kind of a big deal

If it is a Dell machine also means sure you remove SmartByte. 

 

https://community.meraki.com/t5/Network-Wide/Dell-Laptops-and-VPN-access/m-p/12826#M321

Thanks Philip, it was not installed on user's laptop.

Bonifas
Here to help

Same thing happens on our set of Dell laptops too with Windows 10 Pro.

 

It does not connect even from the VPN page.

 

After a long trying to connect "connecting" it fails with the following error "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer"

 

Any suggestions? Or work arounds?

 

All the steps in the troubleshooting page were performed, but no luck.

If you perform a Windows 10 update, it ruins the preconfigured VPN settings. Microsoft resets the authentication setting to MS-CHAPv2 instead of PAP after an update is done. Awesome isn't it?

Nolan Herring | nolanwifi.com
TwitterLinkedIn

@NolanHerring Very awesome. 

Hi Nolan,

 

This is a brand new Dell latitude 3490 laptop.

 

No updates were done.

 

Thanks,

Bonifas

Nash
Kind of a big deal

Bonifas - that's 789, right? 

 

Assuming this is a one PC error and you know the PSK/all settings are right: I have had luck before with uninstalling the WAN Miniport L2TP device under Device Manager, then have DM scan for new hardware. Sometimes I'm lazy and just reboot instead, because I have bad habits.

 

If you don't see the WAN Miniports, click View and select Show Hidden Devices. Make sure you don't uninstall the drivers themselves, 

@Bonifas What errors are you getting in Meraki? You confirmed that the adapter settings are reflecting the correct security configuration?

 

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration 

@Teechan 

 

The adapter settings keeps reverting back to MS CHAP V2 though PAP is selected.

 

Thanks,

Bonifas

Nash
Kind of a big deal

@Bonifas Is the end user saving their credential? This can also cause Win10 to change the password protocol away from PAP. Since my help desk has told end users to no longer save credentials, but to enter it every time, it's reduced the incidence of this behavior.

 

Assuming an AD environment where all client VPN users have an AD account... It's easier on the end user if you can integrate the VPN with their AD account, either via RADIUS or the straight up AD integration. We typically use RADIUS, since not all customers are willing to get a valid certificate for their AD server.

 

You can also try changing the encryption level to Optional. Windows 10 does not actually support Required encryption for PAP. It will assume the encryption level is correct and then helpfully change the password protocol to one that supports required encryption.

My Home VPN was working before using Windows 10 Laptop and Desktop.  Then after the updates it stopped working.  Modified the VPN Properties and allowed the protocols below and it started working again.

 

vpn-meraki.JPG

seniorcit
Conversationalist

I'm having what looks like the same issue ever since a W-10 Pro 64b update on Feb 12 or Feb 16

 

seniorcit_0-1582582615230.png

 

I can no longer login to this vpn on my W-10 PC.  I tried recreating the vpn 5 times with the same error message after a long negotiating attempt.  The same login information works on my W-7 laptop without fail.

 

seniorcit_1-1582582833083.png

 

I had changed no settings on the W-10 Pro 64b machine when the error began appearing.  I looked through all the 'fixes' listed in this discussion and cannot find a fix.  I've thought of trying to restore my Pc to a date earlier in Feb but have some other valuable data I don't want to lose.  HELP!!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels