Hello!
I am working on an Apple computer that was connecting to my MX64 VPN successfully but suddenly stopped. The computer owner said it happened after an update. I have deleted the old VPN connection but still no luck. I also called Meraki technical support with no luck. Any ideas?
On the Apple log: IPSec connection failed
Error: The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.
MX64 log: msg: phase1 negotiation failed due to time up.
That means it is not getting a response from the MX64.
Does the MX64 have the same public IP address that it had before? Is it maybe using a dynamic IP address?
The device providing your Internet access might be blocking the traffic.
Perhaps a software firewall on your machine is blocking the traffic.
The IP is the same and static and no one else is having any trouble connecting. I did try turning off the Norton firewall on the Mac but it has been in place before when this connection was working fine and turning it off had no effect. Here are some more logs that might be a clue:
Non-Meraki / Client VPN negotiation msg: msg: IPsec-SA expired: ESP/Transport
Non-Meraki / Client VPN negotiation msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Non-Meraki / Client VPN negotiation msg: ISAKMP-SA established
Non-Meraki / Client VPN negotiation msg: invalid DH group 19.
Non-Meraki / Client VPN negotiation msg: invalid DH group 20.
Non-Meraki / Client VPN negotiation msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Non-Meraki / Client VPN negotiation msg: invalid DH group 19.
Non-Meraki / Client VPN negotiation msg: invalid DH group 20.
Non-Meraki / Client VPN negotiation msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up.
From the Apple device, can you successfully ping the MX?
I have Ping turned off but it does see the MX because I can see it trying to connect in the event logs.
Hi,
Could you take a packet capture at Internet interface of the MX (download as .pcap file for wireshark) while attempting to connect to Client VPN and filter it out using your apple computer's public IP after you have doubled checked VPN adapter settings?
https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration#macOS
Cheers,
Gaurav
Took a pcap on Internet interface of my MX while connecting to Client_VPN, and here's how a successful negotiation of IPsec tunnel looks like:
In case you haven’t tried those yet to narrow down the root cause, I would suggest the following:
- make sure the box for Send all traffic through VPN in advanced settings is checked. It may have been reset to its default value (unchecked) after the upgrade
- test VPN using the problematic user credentials from another device on the same network? Different network?
- test VPN known working credentials on the same device? from another device on the same network?
- test with a new network location
- Delete VPN network interface in Systems preferences and delete all VPN keychain entries on the Mac (search for VPN name and Xauth). Then reconfigure from scratch, test
- reconnect with Meraki support, and have them analyse the packet capture while you replicate the issue
- verify there is no profile installed that could interfere with your VPN configuration
If the upgrade was major, like 10.13 to 10.14, or Catalina, try to connect after disabling SIP (temporarily)
I hope you get to the bottom of it soon!
Caribou
Unfortunately, the remote computer has not been available for further troubleshooting. I do suspect there are more issues with it other than just the VPN. However, Mac's definitely aren't my specialty. I am going to see if the user can have someone more familiar to inspect it for other problems.
It seems Catalina prevents VPN over non-encrypted networks.
I'm find out the hard way and am now trying to regain connectivity.