Client VPN over XFinity Cable

Solved
RumorConsumer
Head in the Cloud

Client VPN over XFinity Cable

Hello!

I have a new Xfinity installation with an MX68. Using an Arris S33 cable modem. Im being rejected using Client VPN. My other install is on AT&T biz fiber and it has no issues. 

 

Im reading around and have seen the suggestion that Ill need to add the MX's IP (the external IP) to the DMZ in the modem. Does that make sense? Any other ideas of why the VPN would be getting rejected? It doesnt even seem to be able to connect at all so it does point to something occurring before the MX. But its odd because the S33 doenst even have a DMZ as far as I know. Its just a dumb (awesome) modem.

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
1 Accepted Solution
RumorConsumer
Head in the Cloud

I removed it and saved and then re-entered it and then deleted again and try to whole bunch of weird delete re-add save combinations and then all of a sudden VPN started working 🙈

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.

View solution in original post

12 Replies 12
PhilipDAth
Kind of a big deal
Kind of a big deal

You'll need to forward ports udp/500 and udp/4500 to the MX WAN interface to get Client VPN working.

RumorConsumer
Head in the Cloud

@PhilipDAth come again? I do that in the modem? But the modem doesnt do a firewall. Or do you mean on the MX? Could you say a little more?

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
PhilipDAth
Kind of a big deal
Kind of a big deal

On the ISP router - that is where the port forwarding needs to be done.

RumorConsumer
Head in the Cloud

The way this cable works is the coax comes into the house, goes into a dumb modem that gives my MX68 an external IP address right on the net.

 

https://approvedmodems.com/wp-content/uploads/2020/12/ARRIS-SURFboard-S33-User-Manual.pdf

Pages 18 and 19 detail the features of the modem and there is nothing about opening ports.

 

So are you saying Comcast themselves needs to open ports for me on their end? That nothing within the walls of my house can be modified to accomplish this. Is that correct?

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
PhilipDAth
Kind of a big deal
Kind of a big deal

I mis-understood.  I thought the MX was sitting behind an ISP router.

RumorConsumer
Head in the Cloud

OK just this once I will forgive you. 😉

 

Any ideas? 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
RumorConsumer
Head in the Cloud

It seems to be an authentication issue looking at this log. But my Meraki cloud password is correct and the shared secret is too. So not sure whats going on...

RumorConsumer_0-1629675121482.png

 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
PhilipDAth
Kind of a big deal
Kind of a big deal

Try using my client VPN wizard to configure client VPN on the machine.

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html 

RumorConsumer
Head in the Cloud

On a Mac. My other MX works fine. Just this one having trouble. 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
rhbirkelund
Kind of a big deal
Kind of a big deal

I've found sometimes that "complex" shared secrets tend to be the issue. I'm not sure why or how, but reconfiguring a shared secret to something less complex works sometimes.

Other times simply just reconfiguring ClientVPN also does the trick. But that might just be due to local error. 😉

 

Not sure if the complexity thing here applies to your case. 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
RumorConsumer
Head in the Cloud

Nah it’s simple like redtruck but I’ll try removing it

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
RumorConsumer
Head in the Cloud

I removed it and saved and then re-entered it and then deleted again and try to whole bunch of weird delete re-add save combinations and then all of a sudden VPN started working 🙈

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels