Client VPN not working (MX64)

mtint
Comes here often

Client VPN not working (MX64)

Hello,

 

I followed the client vpn setup as in the guide - https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

 

and followed TS  steps

 

https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_789

 

I am unable to get this working.

 

Testing this from my iphone 

 

Michael

 

 

Message from Meraki - April 2, 2020

 

Hi all. We hope you are all staying safe during these difficult times. One of the results of the current global situation is a large increase in remote work — and a large increase of traffic to this community thread.

 

Since this thread is a bit old / specific, we wanted to interject here to provide quick links to the most up-to-date information about Meraki VPN. For an overview of our VPN offering, please see our official documentation here. Also, for the latest updates live from the team, please visit this community thread.

 

Stay safe and be well.

 

- The Meraki Team

39 REPLIES 39
ww
Kind of a big deal
Kind of a big deal

what errors you see in the event log

mtint
Comes here often

Nov 11 09:34:54 Non-Meraki / Client VPN negotiationmsg: failed to begin ipsec sa negotiation.
Nov 11 09:34:54 Non-Meraki / Client VPN negotiationmsg: no configuration found for 85.255.235.84.
Nov 11 09:34:22 Non-Meraki / Client VPN negotiationmsg: failed to begin ipsec sa negotiation.
Nov 11 09:34:22 Non-Meraki / Client VPN negotiationmsg: no configuration found for 85.255.235.84.
Nov 11 09:34:21 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA deleted 80.229.30.184[4500]-85.255.235.84[4500] spi:f7132a415c772aae:edb55d4187cf9e63
Nov 11 09:34:21 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA expired 80.229.30.184[4500]-85.255.235.84[4500] spi:f7132a415c772aae:edb55d4187cf9e63
Nov 11 09:34:21 Non-Meraki / Client VPN negotiationmsg: purged IPsec-SA proto_id=ESP spi=132752050.
Nov 11 09:33:48 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport 80.229.30.184[4500]->85.255.235.84[4500] spi=132752050(0x7e9a2b2)
Nov 11 09:33:48 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport 80.229.30.184[4500]->85.255.235.84[4500] spi=90120267(0x55f204b)
Nov 11 09:33:47 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA established 80.229.30.184[4500]-85.255.235.84[4500] spi:f7132a415c772aae:edb55d4187cf9e63



PhilipDAth
Kind of a big deal
Kind of a big deal

What error does the client report?

mtint
Comes here often

Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-11 19:36 GMT Standard Time
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:36
Completed NSE at 19:36, 0.00s elapsed
Initiating NSE at 19:36
Completed NSE at 19:36, 0.00s elapsed
Initiating ARP Ping Scan at 19:36
Scanning 192.168.128.1 [1 port]
Completed ARP Ping Scan at 19:36, 0.92s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:36
Completed Parallel DNS resolution of 1 host. at 19:36, 0.53s elapsed
Initiating SYN Stealth Scan at 19:36
Scanning 192.168.128.1 [1000 ports]
Discovered open port 80/tcp on 192.168.128.1
Discovered open port 8181/tcp on 192.168.128.1
Discovered open port 8090/tcp on 192.168.128.1
Discovered open port 81/tcp on 192.168.128.1
Completed SYN Stealth Scan at 19:36, 4.68s elapsed (1000 total ports)
Initiating Service scan at 19:36
Scanning 4 services on 192.168.128.1
Completed Service scan at 19:36, 6.04s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.128.1
NSE: Script scanning 192.168.128.1.
Initiating NSE at 19:36
Completed NSE at 19:36, 2.09s elapsed
Initiating NSE at 19:36
Completed NSE at 19:36, 0.00s elapsed
Nmap scan report for 192.168.128.1
Host is up (0.00014s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.39
|_http-favicon: Unknown favicon MD5: 425515E283192A3A686C04E1C50620AA
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: lighttpd/1.4.39
|_http-title: Site doesn't have a title (text/html).
81/tcp open http Cisco Meraki firewall httpd
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-title: 404 Not Found
179/tcp closed bgp
8090/tcp open http lighttpd 1.4.39
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: lighttpd/1.4.39
|_http-title: Error
8181/tcp open http lighttpd 1.4.39
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.39
|_http-title: Did not follow redirect to http://mx.meraki.com/
MAC Address: 0C:8D:DB:1B:20:48 (Cisco Meraki)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.10, Linux 3.2 - 3.16
Uptime guess: 0.761 days (since Sun Nov 11 01:20:07 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Device: firewall

TRACEROUTE
HOP RTT ADDRESS
1 0.14 ms 192.168.128.1

NSE: Script Post-scanning.
Initiating NSE at 19:36
Completed NSE at 19:36, 0.00s elapsed
Initiating NSE at 19:36
Completed NSE at 19:36, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.10 seconds
Raw packets sent: 2021 (90.570KB) | Rcvd: 25 (1.442KB)

mtint
Comes here often

please find a screenshot of error after failed connection. 

 

photo_2018-11-11_19-46-17.jpg

PhilipDAth
Kind of a big deal
Kind of a big deal

That usually happens when the pre-shared key does not match (assuming you are connecting to the correct IP address on the MX).  Make sure you are connecting from outside of the MX (such as via 4G).

 

Some devices can not handle complex PSK's.  So if you are sure it is correct, try changing to a very simple one to rule the problem out.  if it works after that you can try making the PSK more and more complicated.

mtint
Comes here often

changed the secret to very simple string and deleted the profile and readded.

 

iphone on 4g and still not able to connect. 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Are you from the US and using T-Mobile by chance?

Do you have your MX set up with a static IP for the WAN or is it using DHCP?

mtint
Comes here often

uk - o2 and vodafone 

Hi @mtint

 

I noticed from your screenshot that you are connected to wi-fi on your phone. Do you happen to be connected wirelessly to the same network that you are trying to test the VPN connection to? If so, you will get that very message that you posted. 

 

Edit: just saw where @PhilipDAth noted to connect from outside the network. And the IPs look different from the MX logs...


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂

Good catch on that WiFi icon.

Note, I took the video of connection attempts then played back the video and took the screenshot when error popped up.
WiFi was turned off. I was going to share connection video but decided not to use it because it was showing my personal data.

In that case I'd check to see if your phone is pulling an IPv6 address on 4G.
JasonCampbell
Getting noticed

Most likely you are on an IPv6 connection and Meraki Client VPN does not play nicely with IPv6 and 6to4 translations.

on O2 network and when i go to whatsmyip i get xx-xx-xx-xx.dab.02.net  - ipv4 

 

also tried this on Vodafone

Are no clients able to connect, or is it just this one? I've had this issue before when I didn't create the correct type of self-signed certifcate for use with Client VPN. 

GrantWilson
Just browsing


@mtint wrote:

Hello,

 

I followed the client vpn setup as in the guide - https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

 

and followed TS  steps

 

https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#client_id_cheapessays#Windows_Error_789

 

I am unable to get this working.

 

Testing this from my iphone 

 

Michael


 

Hello,

 

I have the same issue on Windows 10. It's giving me Windows 809 error message. Is there any way to get PowerShell scripts that could create a split tunnel by default? Thanks.

Anyone has any updates.

Have exactly the same issue on a brand new MX84.

Have a case open with support but so far no luck

I know this thread is a bit old now, but in case anyone else has the issue I had a user who had been connecting quite happily but then could not get in today. It turns out the protocol allowed (Properties > Security tab at the bottom) was changed from "Unencrypted password (PAP)" to "Microsoft CHAP Version 2 (MS_CHAP v2)". Unchecking the latter and checking the former once more fixed the issue. As to how it got changed is still a mystery.

This is EXTREMELY frustrating. My guess is it is Windows, but there appear to be no other options for Windows 10 clients? Often I have to reboot and it works fine again. Nothing changed, just reboot. Other times, WIndows randomly changes the settings on the VPN. Ridiculous.

I'm ready to flush the entire solution at this point..this has been poor handling at best.  I'm looking for alternatives.

There is a new element to the Client VPN not working in Windows 10 that i found recently. Xbox Networking Services. This appears to be running some l2tp tunnels. I have found with almost no other intervention that stopping the networking servers, even going so far as to Disable them, Meraki Client VPN starts working again.

 

There are loads of Powershell scripts out there for Meraki Client VPN in windows 10, but the best solution i have is that i have switched to launching the VPN with RASPHONE.EXE and not through the Windows 10 UI's

 

As for the internal settings for the VPN, i have yet to have the encryptiong move, but i do know that updates can cause this to happen

cmr
Kind of a big deal
Kind of a big deal

If you can suffer the Windows 10 glitches a little longer, the Cisco AnyConnect client is in beta testing for connecting to Meraki devices.  Being a vendor provided client means that the sort of issues you have described will simply not happen.

@cmr - Is that an open beta test? I would 100% try that out.

cmr
Kind of a big deal
Kind of a big deal

Not yet, I think many of us are keeping an eye out for when that might be...

WWWolf
Here to help

Cisco AnyConnect would be a welcome change for client VPN connections.

 

I have been fighting these issues as well.  It seems Windows like to periodically botch the connection settings. The 2 areas that I have found usually being the culprit are;

* Preshared Key missing or otherwise messed up

    - Go to VPN Properties > Security tab > Advanced settings > re-enter the key

Authentication switched from PAP to CHAP (assumingly changed by an update)

    - Go to VPN Properties > Security tab > Allow these protocols > Make sure PAP is selected and both CHAP options are unchecked

 

 

 

Do you have any more information on this? Thanks.

in my case it was the "Xbox Live Networking Service" on the desktop having issues.   I disabled that service and it connected instantly.

@JimmyPhelan 

 

Even starting the connection via Rasphone...it fails (789).  Checking the settings via the UI the Sign in has changed to "General" .  I disabled the Xbox Network Services..no help.  

@CGIbs 

 

I've started unchecking the box to save credentials. Seem to have better luck with the settings not changing, but they will have to authenticate with their credentials when connecting to the VPN. It still shows "General" authentication when I go back and look at it after changing the PAP settings, but prompts for credentials when they connect and seems to work just fine. Might be worth a shot. 


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂

789 is a different error again. Double check the encryption settings
WWWolf
Here to help

One possible solution I have found is to create a new connection via a .pbk (phonebook) file.

 

* Create a blank text file on your desktop and then rename it to have a ".pbk" extension

* Open the file (you should see a message saying the phonebook is empty prompting you to add an entry)

* Click Ok

* Select "Workplace network"

* Enter the address to your VPN connection and give it a name and click Next

* Enter your login credentials (optional) and click Create

* With your new connection selected, click Properties

* Verify address on General tab then select the Security tab

* Un-check CHAP options at the bottom and select PAP under "Allow these protocols"

* Select L2TP/IPSec for the type of VPN

* Click the Advanced settings button, select the preshared key option and enter your key then click Ok

* Click Ok to close the Properties 

* Click Connect to connect to the new connection

* Enter logon credentials if you did not already do so (optionally select to save credentials) and click Connect

 

Users who use this type of connection will have to remember to connect via the .pbk file and not via their network connections dialog.

One of the main advantages of this method is the .pbk file can be emailed to your users for easy remote setup - you will still need to verify settings on the security tab and in the test that I did I had to enter the preshared key again after transferring the file to another system.

 

 

@WWWolf 

 

I have tried a lot of solutions (work-arounds)...a lot...yours is the only one to work to date.  Until Meraki resolves this issue (in conjunction with Microsoft) or certifies a vpn client ..this works for me.

 

On my way to verifying this solution...error 789 was the bane of my existence.  Testing..I found that my ISP had implemented "Advanced Security" which further compounded my issues.  So either the Microsoft client would not hold the settings or my ISP prevented connection...both resulted in 789.  Only after getting the ISP issue resolved and implementing the solution above am I able to connect consistently.  

 

P.S. - Port forwarding didn't work

ToddJ
New here

Having the same issue.  any updates?  followed both documents, Meraki support says to come here to the "community' for a solution ....

 

"many questions can be easily answered by searching our online documentation  or asking fellow Meraki users in our community ."

 

 

ugh.

ok i know i just posted lol but I fixed it...

 

i was getting an 809 error and after posting here I started more "Googling"

 

and found this.

 

https://windowsreport.com/fix-vpn-error-809-windows-10/

 

Step 3 was my solution.  i did not try step 2.

 

on the windows 10 machine.

Find Xbox Live Networking Services and disable it

 

connected instantly after that.

 

 

fwiw.

Tj.

Yeah, I replied about the Xbox networking services above. Clearly they are using some l2tp miniport as well.  

 

Now this bit is controversial, but there is a Draytek SmartVPN client, and instructions on reddit to configure to work with meraki. I personally have not had it work, but my issue was down to xbox networking, and once I resolved that, I didn't need the Draytek client

Lenilton
Just browsing

Hi to all,

I have on my network 5 firewall's 2 MX-64, 2 MX-84 and 1 MX-68. With the exact configurations for all the MX, only the MX-84 are working fine. The others MX don't connect. So, I can exclude configuration problems like:

  • Username, password or shared secret is typed in incorrectly
  • MX IP address is inactive
  • Windows software upgrade
  • The MX is not receiving the Client VPN connection attempt
  • User is not authorized to connect to VPN

Now, I don't have any idea. Someone had the same problem and found a solution?

Thanks.

PhilipDAth
Kind of a big deal
Kind of a big deal

HI @Lenilton .

 

Could you start a separate thread for you problem?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels