Meraki

Marcel_Smal · ‎Oct 15 2024

Hey everyone,

Last week, I encountered a problem where suddenly my Client VPN and AnyConnect VPN stopped working across several organizations. It was confusing because everything was fine the week before.

The issue occurred in different setups like these:

ISP RT -> MSP Router -> MX : With port forwarding

ISP RT -> MX : Without port forwarding.

After some digging, I opened a case and, with Chris's help from Meraki Support this week, we discovered during a call that the MX inbound firewall was blocking the connections. This explained why the client kept retrying without receiving a response.

It turns out this is a common problem when you enable no Nat (manual inbound firewall rules) through the early access page, disrupting the automatic 1:1 NAT / port forwarding that usually supports Client and AnyConnect VPN services.

Disabling this early access feature fixed the problem. So, if you're using the no NAT early access, remember to allow inbound connections on UDP ports 500 and 4500 for client VPN, and TCP and UDP 443 for AnyConnect.

This solution worked for me, and I hope it can help others facing similar issues. It would be great to put a notice on this stating if client vpn is active please make sure those rules are implemented after opting in.

Mloraditch · ‎Oct 15 2024

I had the same issue a few months ago and also asked support to add notes to the documentation. Guess that hasn't happened.🙃

GreenMan · ‎Oct 15 2024

This is a screenshot from part of the document linked in the section where you opt-in for this early access feature. That section does say to "Please see the documentation for more information."

Marcel_Smal · ‎Oct 16 2024

Hi GreenMan,

I appreciate you sharing the screenshot. What I had in mind was a brief notification or a confirmation prompt asking for a final check and if the documentation has been reviewed before proceeding with this option.

However, I'll make sure to thoroughly review all the details before activating such settings in the future.

GreenMan · ‎Oct 16 2024

Yeah - further to my reply, I have reached out to the relevant team to see if we could be a bit more explicit within the entry in the Early access page itself, around the need to really understand what you’re enabling. I think it is a good habit to get into though, to read documentation for any feature you’re turning on.

Mloraditch · ‎Oct 16 2024

It would be great if screenshots/instructions were added showing what rules need to be added to allow these default services to continue to run as they did previously with the feature enabled.

GreenMan · ‎Oct 17 2024

I'm pretty sure we're not going to do that in the Early access menu itself (too much info for that page) - given it's clear from the documentation what changes are made and how to avoid the effect. Sometimes you really do just have to read the manual guys 🙂 That having been said, there are occasions where we can all benefit from something along the lines "This time you really must read the manual - and do so before you start enabling stuff!"

Mloraditch · ‎Oct 17 2024

I'm sorry, I didn't mean add that info to the EA Menu. I meant the documentation article. It seems a note has been added that client vpn does not work period and that obviates a need for any screenshots, but it's not clear about regular Meraki or 3rd Party VPN.

I see the line about the MX working if it initiates, but nothing saying you can or cannot add a rule to make remote initiation work. I'm presuming not as there is no way to create a rule for inbound traffic directed to the MX.

As far as local initiation goes, are all Meraki VPNs covered by this or will some of them possibly not work either?

Honestly, this feature seems like one of the ones that should remain gate kept.

Meraki

Community

Client VPN and Anyconnect no longer working??

Client VPN and Anyconnect no longer working??