Your issue is Windows update related, have user remove windows patch KB5009543 and reboot, will work fine afterwards.

Or KB5009566

From an elevated cmd prompt: 

wusa /uninstall /kb:5009543

wusa /uninstall /kb:5009566

... rebooting now to see if it fixed the issue

Yep, 5009543 was not installed but 5009566 was installed this am.

ran wusa /uninstall /kb:5009566 and reboot fixed issue - now able to logon/authenticate Meraki VPN.

Yep, 5009543 was not installed but 5009566 was installed this am.

ran wusa /uninstall /kb:5009566 and reboot fixed issue - now able to logon/authenticate Meraki VPN.

Worked great! Thanks for the hat tip! 

This is not related to my problem. all clients successfully connect to the VPN.

You should create anotre case.

you mean here?

I just noticed in the image of routing from your first post you have a route for 10.69.10.0/24 but none for 10.69.11.0/24.  Is your VPN configured to be full or split tunnel?

the 10.69.11.0/24 is the local office where the MX-64 is located.

I don't need a route, I already have access.

My VPN is split tunnel.

Are there any Layer 3 firewall rules on either MX that might be blocking the subnet?

That would be the vpn fw rules 

No rules at all.

None of these updates are installed on my computers.

I would think you then have another issue.  Did you have a working VPN Client before, and now you cannot get it working?  Are you certain you don't have ANY updates installed from 1/11 ?

100% sure.

and my issue is not to connect to the VPN, it works fine. I just can't access the remote site to site vpn, but I can access all my network resources through the vpn.

there it is

and here is the script I've been using for a couple of years. I've just added  10.69.10.0/24 to the rotes today, but it didn't help.

# Path for the phonebook.
$PbkPath = Join-Path $env:PROGRAMDATA 'Microsoft\Network\Connections\Pbk\rasphone.Pbk'

# Update these variables with the actual VPN name, address, and PSK.
$ConnectionName = 'ABC VPN'
$ServerAddress = 'cisco-******-wired-********.dynamic-m.com'
$PresharedKey = '*************'

# If no VPNs, rasphone.Pbk may not already exist.
# If file does not exist, then create an empty placeholder.
# Placeholder will be overwritten when new VPN is created.
If ((Test-Path $PbkPath) -eq $false) {
    $PbkFolder = Join-Path $env:PROGRAMDATA "Microsoft\Network\Connections\pbk\"
    if ((Test-Path $PbkFolder) -eq $true){
        New-Item -path $PbkFolder -name "rasphone.pbk" -ItemType "file" | Out-Null
    }
    else{
        $ConnectionFolder = Join-Path $env:PROGRAMDATA "Microsoft\Network\Connections\"
        New-Item -path $ConnectionFolder -name "pbk" -ItemType "directory" | Out-Null
        New-Item -path $PbkFolder -name "rasphone.pbk" -ItemType "file" | Out-Null
    }
}

# If VPN exists, delete VPN connection so you can build fresh.
Remove-VpnConnection -AllUserConnection -Name $ConnectionName -Force -EA SilentlyContinue

# Adds the new VPN connection.
Add-VpnConnection -Name $ConnectionName -ServerAddress $ServerAddress -DnsSuffix 'int.nomoist.net' -AllUserConnection -TunnelType L2tp -L2tpPsk $PresharedKey -AuthenticationMethod PAP -EncryptionLevel Custom -Force -WA SilentlyContinue

# Sets the VPN connection to split tunnel.
# Comment out for full tunnel.
# Note: Some PCs get angry w/o a short rest to process Add-VPNConnection
Start-Sleep -m 100
Set-VpnConnection -Name $ConnectionName -SplitTunneling $True -AllUserConnection -EncryptionLevel Custom -WA SilentlyContinue

# If you need parameters to add metrics or for IPv6 subnets, open Powershell and run:
# get-help add-vpnconnectionroute -full
# This will give the full list of valid parameters for Add-Vpnconnectionroute and
# instructions for using them.

# Adds the route for the interesting subnet
# $RouteList is an array of interesting subnet(s) with CIDR mask
# Split tunnels must have at least one route.
# Comment out for full tunnel.

$RouteList = @('10.0.1.0/24', '10.1.0.0/16', '10.2.0.0/16' , '192.168.254.22/32' , '10.69.10.0/24')
Foreach ($Destination in $RouteList)
{
    Add-Vpnconnectionroute -Connectionname $ConnectionName -AllUserConnection -DestinationPrefix $Destination
}

# Load the RASphone.pbk file into a line-by-line array
$Phonebook = (Get-Content -path $PbkPath)

# Index for line where the connection starts.
$ConnectionIndex = 0

# Locate the array index for the [$ConnectionName] saved connection.
# Ensures that we only edit settings for this particular connection.
for ($counter=0; $counter -lt $Phonebook.Length; $counter++){
    if($Phonebook[$counter] -eq "[$ConnectionName]"){
        # Set $ConnectionIndex var since $counter only exists inside loop
        $ConnectionIndex = $counter
        break
    }
}

# Starting at the $ConnectionName connection:
# 1. Set connection to use Windows Credential (UseRasCredentials=1)
# 2. Force client to use VPN-provided DNS first (IpInterfaceMetric=1)

# Setting the IpInterfaceMetric to 1 will force the PC to use that DNS first.
# Some companies have local domains that overlap with valid domains
# on the Internet. If VPN-provided DNS can resolve names on the local domain,
# then end user PC will get the correct IP addresses for private servers.
# Otherwise, the PC will use a public DNS resolver.

for($counter=$ConnectionIndex; $counter -lt $Phonebook.Length; $counter++){
    # Set RASPhone.pbk so that the Windows credential is used to
    # authenticate to servers.
    if($Phonebook[$counter] -eq "UseRasCredentials=1"){
        $Phonebook[$counter] = "UseRasCredentials=0"
    }

    # Set RASPhone.pbk so that VPN adapters are highest priority for routing traffic.
    # Comment out if you don't want to try VPN-provided DNS first.
    elseif($Phonebook[$counter] -eq "IpInterfaceMetric=0"){
        $Phonebook[$counter] = "IpInterfaceMetric=1"
        break
        # IpInterfaceMetric comes after UseRasCredentials, so break will cancel
        #   our loop once we're done with it.
    }
}

# Save modified phonebook overtop of RASphone.pbk
Set-Content -Path $PbkPath -Value $Phonebook

# Create desktop shortcut using rasphone.exe.
# Provides a static box for end users to type user name/password into.
# Avoids Windows 10 overlay problems such as showing "Connecting..." even
# after a successful connection.

# Create a desktop shortcut
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut("$env:Public\Desktop\Polygon VPN.lnk")
$ShortCut.IconLocation = "C:\WINDOWS\system32\SHELL32.dll, 135"
$Shortcut.TargetPath = "rasphone.exe"
$Shortcut.Save()

# Prevent Windows 10 problem with NAT-Traversal (often on hotspots)
# See https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
# for more details
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent"
$name = "AssumeUDPEncapsulationContextOnSendRule"
$value = "2"
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null