Client VPN gets 718 error when primary RADIUS (DUO) server fails

Dantech
New here

Client VPN gets 718 error when primary RADIUS (DUO) server fails

Currently experiencing issue with the Windows VPN adapter when trying to use Meraki MX 84 (15.43) and DUO MFA. The issue exists when I have two RADIUS servers are configured and the primary one goes down. I know the second one works because I have listed it first and it works without an issue. The issue seems to be with the client time out on the VPN adapter. Ive contacted Meraki support to change the time out value on the Meraki side but isnt enough time to get the Duo MFA push to the mobile device. I get a 718 error about 30 seconds and about 5 seconds later I get DUO push on the phone so I just miss it. Even if I push allow on my mobile device it too late since its already closed out the session. Is there a way to change the adapter time out or is there something else that needs to be configured to allow the 2nd RADIUS server more time on the client to allow the response?

3 REPLIES 3
Inderdeep
Kind of a big deal

@Dantech : May be this below thread helps you 

https://community.meraki.com/t5/Security-SD-WAN/VPN-Client-Connection-Fails-with-error-718/m-p/11343...

 

Regards
Inderdeep Singh
www.thenetworkdna.com ( Awarded by Cisco IT Blogs award 2020)
Dantech
New here

I think I just found my solution. There is a setting that can be changed to change the timeout on the client side. I know there is another value on the Meraki side that you can ask them to modify but this does not apply for this issue. 

 

To change the client side time out I changed the following registry value from 10 to 30. I simulated the outage it did take 30 seconds for the second configured RADIUS to kick in but I was able to hit approve on my mobile device. Hopes this helps someone that has a Meraki MX and is configuring DUO MFA (primary and secondary Duo Proxy Server AKA Meraki RADIUS)

 

HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP:MaxConifgure=30

Inderdeep
Kind of a big deal

@Dantech : Good to know, Good Luck !

Regards
Inderdeep Singh
www.thenetworkdna.com ( Awarded by Cisco IT Blogs award 2020)
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels