We are testing client VPN . It is enabled and users are able to connect. 2 out of 4 users are unable to resolve host names from mapped drives. The other 2 users are. DNS server is at the DC across a VPN tunnel to a non-meraki peer. All are Window 10 . Here is what has been attempted with the assistance of support. IPs of servers can be reached via ping.
1) enabled WINs specified DNS server
2)Hardcoded DNS into NIC of clients that could not connect.
We spent a lot of time of the phone with support but still do not have any resolution.
hi, some ideas of tests to do:
- ping the dns servers and share server to verify the connectivity
- nslookup to the dns servers to verify the connectivity
- disable firewall and antivirus on the windows 10 computers
- where are the mapped drives? windows server? nas? dfs?
- do a test mapping the drive by ip, not using the name of the server
- do you have disabled smb1 on the windows 10 clients?
- check the time on the servers and client, sync with a ntp server
Please don't use WINS. Microsoft does not want you to use WINS.
Make sure you use the fully qualified domain name, such as software.domain.local.
If your internal domain is the same as a publicly resolvable domain, adjust your interface metric.
You can either do re-deploy the VPN using a script, such as the ones in my signature. They're recently updated to set the Meraki VPN connection to have priority.
Or you can hit it with powershell directly:
All user connection:
(Get-Content -path $env:PROGRAMDATA\Microsoft\Network\Connections\Pbk\rasphone.pbk -Raw) -Replace 'IpInterfaceMetric=0','IpInterfaceMetric=1' | Set-Content -path $env:PROGRAMDATA\Microsoft\Network\Connections\Pbk\rasphone.pbk
Individual user connection:
(Get-Content -path $env:APPDATA\Microsoft\Network\Connections\Pbk\rasphone.pbk -Raw) -Replace 'IpInterfaceMetric=0','IpInterfaceMetric=1' | Set-Content -path $env:APPDATA\Microsoft\Network\Connections\Pbk\rasphone.pbk
Or you can do it manually via the GUI. I prefer PowerShell.
>DNS server is at the DC across a VPN tunnel to a non-meraki peer.
I don't think this is a supported configuration - hair pinning client VPN connections to a non-Meraki VPN connection.
I've tried this and found it to be flaky and only intermittently works (client connects and works, next day client connects and it doesn't). I've found when it doesn't work if you ping the clients private VPN IP address from the DC machine it usually starts working. All together not nice.
It does work perfectly for AutoVPN connected sites.
This is due to the NICs interface metric, and it's been absolutely maddening.
Connect to the VPN.. Open powershell and type Get-NetIPInterface. You will see your Ethernet (or Wifi) and VPN name in the list. On the left is ifInterface number, on the right is interfaceMetric. You need VPN to have a LOWER interfaceMetric than your primary NIC. Problem is, VPN metric changes every time you connect. I've found good results changing both Ethernet and Wifi to 50. You can do this in the IPv4 properties of primary NIC, Advanced, then remove automatic metric box and type in 50. Also you can do it in powershell with Set-NetIPInterface -InterfaceIndex 24 -InterfaceMetric 50 and replace the 24 with whatever the left number was on Get-NetIPInterface.
Might be barking up the wrong tree but I've seen times before where Windows will try and mount the drive using the Client VPN credentials which causes issues. Try giving this a go:
This was mentioned a little while back on our forums also (link) but I found this out a while ago in my previous job.
Let me know how you get on, and stay safe out there!
Network Support Engineer
.:|:.:|:. Cisco Meraki EMEAR 🇬🇧
For reference, many questions can be easily answered by searching our online documentation: http://documentation.meraki.com
@BearTech Do you mean "VPN has lower priority" or "VPN has lower number/higher priority"?
If you want lower number/higher priority, you can get there using one of my powershell snippets to edit the saved setting in the rasphone.pbk file. That stores all of your saved connections through the Windows client.