Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Client VPN Suddenly Failing on Apple Computer

bismarckpalm
Conversationalist
‎Oct 16 2019 10:58 AM
‎Oct 16 2019 10:58 AM

Client VPN Suddenly Failing on Apple Computer

Hello! 

 

I am working on an Apple computer that was connecting to my MX64 VPN successfully but suddenly stopped.  The computer owner said it happened after an update.  I have deleted the old VPN connection but still no luck.  I also called Meraki technical support with no luck.  Any ideas? 

 

On the Apple log:  IPSec connection failed

Error:   The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.

 

MX64 log: msg: phase1 negotiation failed due to time up.

0 Kudos
Subscribe
9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 16 2019 11:50 AM
‎Oct 16 2019 11:50 AM

That means it is not getting a response from the MX64.

 

Does the MX64 have the same public IP address that it had before?  Is it maybe using a dynamic IP address?

The device providing your Internet access might be blocking the traffic.

Perhaps a software firewall on your machine is blocking the traffic.

0 Kudos
Subscribe
In response to PhilipDAth
bismarckpalm
Conversationalist
‎Oct 16 2019 12:00 PM
‎Oct 16 2019 12:00 PM

The IP is the same and static and no one else is having any trouble connecting.  I did try turning off the Norton firewall on the Mac but it has been in place before when this connection was working fine and turning it off had no effect.  Here are some more logs that might be a clue:

 

Non-Meraki / Client VPN negotiation msg: msg: IPsec-SA expired: ESP/Transport

Non-Meraki / Client VPN negotiation msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Non-Meraki / Client VPN negotiation msg: ISAKMP-SA established
Non-Meraki / Client VPN negotiation msg: invalid DH group 19.
Non-Meraki / Client VPN negotiation msg: invalid DH group 20.
Non-Meraki / Client VPN negotiation msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Non-Meraki / Client VPN negotiation msg: invalid DH group 19.
Non-Meraki / Client VPN negotiation msg: invalid DH group 20.
Non-Meraki / Client VPN negotiation msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up.

 

0 Kudos
Subscribe
Nash
Kind of a big deal
‎Oct 16 2019 12:06 PM
‎Oct 16 2019 12:06 PM

From the Apple device, can you successfully ping the MX?

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
Subscribe
In response to Nash
bismarckpalm
Conversationalist
‎Oct 16 2019 12:15 PM
‎Oct 16 2019 12:15 PM

I have Ping turned off but it does see the MX because I can see it trying to connect in the event logs.

0 Kudos
Subscribe
In response to bismarckpalm
gauravgupta
Meraki Employee
Meraki Employee
‎Oct 18 2019 9:28 PM
‎Oct 18 2019 9:28 PM

Hi,

 

Could you take a packet capture at Internet interface of the MX (download as .pcap file for wireshark) while attempting to connect to Client VPN and filter it out using your apple computer's public IP after you have doubled checked VPN adapter settings?

 

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration#macOS

 

Cheers,

Gaurav

0 Kudos
Subscribe
In response to gauravgupta
gauravgupta
Meraki Employee
Meraki Employee
‎Oct 18 2019 9:44 PM
‎Oct 18 2019 9:44 PM

Took a pcap on Internet interface of my MX while connecting to Client_VPN, and here's how a successful negotiation of IPsec tunnel looks like:

 

Screen Shot 2019-10-18 at 9.35.39 PM.png

 

 

0 Kudos
Subscribe
In response to gauravgupta
Caribou
Here to help
‎Oct 20 2019 11:06 PM
‎Oct 20 2019 11:06 PM

In case you haven’t tried those yet to narrow down the root cause, I would suggest the following:


- make sure the box for Send all traffic through VPN in advanced settings is checked. It may have been reset to its default value (unchecked) after the upgrade 

- test VPN using the problematic user credentials from another device on the same network? Different network?

- test VPN known working credentials on the same device? from another device on the same network?

- test with a new network location

- Delete VPN network interface in Systems preferences and delete all VPN keychain entries on the Mac (search for VPN name and Xauth). Then reconfigure from scratch, test

- reconnect with Meraki support, and have them analyse the packet capture while you replicate the issue

- verify there is no profile installed that could interfere with your VPN configuration

 

If the upgrade was major, like 10.13 to 10.14, or Catalina, try to connect after disabling SIP (temporarily)


I hope you get to the bottom of it soon!

Caribou

0 Kudos
Subscribe
In response to gauravgupta
bismarckpalm
Conversationalist
‎Oct 23 2019 6:52 AM
‎Oct 23 2019 6:52 AM

Unfortunately, the remote computer has not been available for further troubleshooting.  I do suspect there are more issues with it other than just the VPN.  However, Mac's definitely aren't my specialty.  I am going to see if the user can have someone more familiar to inspect it for other problems.

0 Kudos
Subscribe
In response to bismarckpalm
J_House
Just browsing
‎Oct 28 2019 12:09 PM
‎Oct 28 2019 12:09 PM

It seems Catalina prevents VPN over non-encrypted networks.

 

I'm find out the hard way and am now trying to regain connectivity.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.