cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Client VPN not working (MX64)

Comes here often

Client VPN not working (MX64)

Hello,

 

I followed the client vpn setup as in the guide - https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

 

and followed TS  steps

 

https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_789

 

I am unable to get this working.

 

Testing this from my iphone 

 

Michael

19 REPLIES 19
Kind of a big deal ww
Kind of a big deal

Re: Client VPN not working (MX64)

what errors you see in the event log

Comes here often

Re: Client VPN not working (MX64)

Nov 11 09:34:54 Non-Meraki / Client VPN negotiationmsg: failed to begin ipsec sa negotiation.
Nov 11 09:34:54 Non-Meraki / Client VPN negotiationmsg: no configuration found for 85.255.235.84.
Nov 11 09:34:22 Non-Meraki / Client VPN negotiationmsg: failed to begin ipsec sa negotiation.
Nov 11 09:34:22 Non-Meraki / Client VPN negotiationmsg: no configuration found for 85.255.235.84.
Nov 11 09:34:21 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA deleted 80.229.30.184[4500]-85.255.235.84[4500] spi:f7132a415c772aae:edb55d4187cf9e63
Nov 11 09:34:21 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA expired 80.229.30.184[4500]-85.255.235.84[4500] spi:f7132a415c772aae:edb55d4187cf9e63
Nov 11 09:34:21 Non-Meraki / Client VPN negotiationmsg: purged IPsec-SA proto_id=ESP spi=132752050.
Nov 11 09:33:48 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport 80.229.30.184[4500]->85.255.235.84[4500] spi=132752050(0x7e9a2b2)
Nov 11 09:33:48 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport 80.229.30.184[4500]->85.255.235.84[4500] spi=90120267(0x55f204b)
Nov 11 09:33:47 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA established 80.229.30.184[4500]-85.255.235.84[4500] spi:f7132a415c772aae:edb55d4187cf9e63



Kind of a big deal

Re: Client VPN not working (MX64)

What error does the client report?

Comes here often

Re: Client VPN not working (MX64)

Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-11 19:36 GMT Standard Time
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:36
Completed NSE at 19:36, 0.00s elapsed
Initiating NSE at 19:36
Completed NSE at 19:36, 0.00s elapsed
Initiating ARP Ping Scan at 19:36
Scanning 192.168.128.1 [1 port]
Completed ARP Ping Scan at 19:36, 0.92s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:36
Completed Parallel DNS resolution of 1 host. at 19:36, 0.53s elapsed
Initiating SYN Stealth Scan at 19:36
Scanning 192.168.128.1 [1000 ports]
Discovered open port 80/tcp on 192.168.128.1
Discovered open port 8181/tcp on 192.168.128.1
Discovered open port 8090/tcp on 192.168.128.1
Discovered open port 81/tcp on 192.168.128.1
Completed SYN Stealth Scan at 19:36, 4.68s elapsed (1000 total ports)
Initiating Service scan at 19:36
Scanning 4 services on 192.168.128.1
Completed Service scan at 19:36, 6.04s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.128.1
NSE: Script scanning 192.168.128.1.
Initiating NSE at 19:36
Completed NSE at 19:36, 2.09s elapsed
Initiating NSE at 19:36
Completed NSE at 19:36, 0.00s elapsed
Nmap scan report for 192.168.128.1
Host is up (0.00014s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.39
|_http-favicon: Unknown favicon MD5: 425515E283192A3A686C04E1C50620AA
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: lighttpd/1.4.39
|_http-title: Site doesn't have a title (text/html).
81/tcp open http Cisco Meraki firewall httpd
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-title: 404 Not Found
179/tcp closed bgp
8090/tcp open http lighttpd 1.4.39
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: lighttpd/1.4.39
|_http-title: Error
8181/tcp open http lighttpd 1.4.39
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.39
|_http-title: Did not follow redirect to http://mx.meraki.com/
MAC Address: 0C:8D:DB:1B:20:48 (Cisco Meraki)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.10, Linux 3.2 - 3.16
Uptime guess: 0.761 days (since Sun Nov 11 01:20:07 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Device: firewall

TRACEROUTE
HOP RTT ADDRESS
1 0.14 ms 192.168.128.1

NSE: Script Post-scanning.
Initiating NSE at 19:36
Completed NSE at 19:36, 0.00s elapsed
Initiating NSE at 19:36
Completed NSE at 19:36, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.10 seconds
Raw packets sent: 2021 (90.570KB) | Rcvd: 25 (1.442KB)

Comes here often

Re: Client VPN not working (MX64)

please find a screenshot of error after failed connection. 

 

photo_2018-11-11_19-46-17.jpg

Kind of a big deal

Re: Client VPN not working (MX64)

That usually happens when the pre-shared key does not match (assuming you are connecting to the correct IP address on the MX).  Make sure you are connecting from outside of the MX (such as via 4G).

 

Some devices can not handle complex PSK's.  So if you are sure it is correct, try changing to a very simple one to rule the problem out.  if it works after that you can try making the PSK more and more complicated.

Comes here often

Re: Client VPN not working (MX64)

changed the secret to very simple string and deleted the profile and readded.

 

iphone on 4g and still not able to connect. 

 

Kind of a big deal

Re: Client VPN not working (MX64)

Are you from the US and using T-Mobile by chance?

A model citizen

Re: Client VPN not working (MX64)

Do you have your MX set up with a static IP for the WAN or is it using DHCP?

Getting noticed

Re: Client VPN not working (MX64)

Most likely you are on an IPv6 connection and Meraki Client VPN does not play nicely with IPv6 and 6to4 translations.
A model citizen

Re: Client VPN not working (MX64)

Hi @mtint

 

I noticed from your screenshot that you are connected to wi-fi on your phone. Do you happen to be connected wirelessly to the same network that you are trying to test the VPN connection to? If so, you will get that very message that you posted. 

 

Edit: just saw where @PhilipDAth noted to connect from outside the network. And the IPs look different from the MX logs...


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
Getting noticed

Re: Client VPN not working (MX64)

Good catch on that WiFi icon.
Comes here often

Re: Client VPN not working (MX64)

Note, I took the video of connection attempts then played back the video and took the screenshot when error popped up.
WiFi was turned off. I was going to share connection video but decided not to use it because it was showing my personal data.

Getting noticed

Re: Client VPN not working (MX64)

In that case I'd check to see if your phone is pulling an IPv6 address on 4G.
Comes here often

Re: Client VPN not working (MX64)

on O2 network and when i go to whatsmyip i get xx-xx-xx-xx.dab.02.net  - ipv4 

 

also tried this on Vodafone

Comes here often

Re: Client VPN not working (MX64)

uk - o2 and vodafone 

Getting noticed

Re: Client VPN not working (MX64)

Are no clients able to connect, or is it just this one? I've had this issue before when I didn't create the correct type of self-signed certifcate for use with Client VPN. 

Just browsing

Re: Client VPN not working (MX64)


@mtint wrote:

Hello,

 

I followed the client vpn setup as in the guide - https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

 

and followed TS  steps

 

https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#client_id_cheapessays#Windows_Error_789

 

I am unable to get this working.

 

Testing this from my iphone 

 

Michael


 

Hello,

 

I have the same issue on Windows 10. It's giving me Windows 809 error message. Is there any way to get PowerShell scripts that could create a split tunnel by default? Thanks.

New here

Re: Client VPN not working (MX64)

Anyone has any updates.

Have exactly the same issue on a brand new MX84.

Have a case open with support but so far no luck

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.