Issues connecting Meraki Client VPN

Solved
CiscoInstaller
Here to help

Issues connecting Meraki Client VPN

We have an MX100 that has the client VPN functionality enabled. This is using RADIUS authentication and is configured to communicate with a DC that has this role installed and configured.

 

I can successfully connect to this from my own laptop and some test machines that are not on the client domain, however machines on the client domain (and a coupe of others that are not) cannot connect at all.

 

I am trying to connect with identical credentials on all machines and the same internet connection and some machines will connect and others will not. the clients that do not connect get an entry for Error 789 in Event Viewer. The error from the VPN connection is "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer"

 

We have checked that the "IKE and Auth..." service and the IPSEC Processing Policy service are running.

 

The logs on the Meraki show the following:

Dec 12 15:04:36 Non-Meraki / Client VPN negotiationmsg: phase1 negotiation failed due to time up. 59c9b9d31a1ca7fc:e7241141149e770f
Dec 12 15:03:49 Non-Meraki / Client VPN negotiationmsg: phase1 negotiation failed due to time up. 6a8f5861211ce0a4:0192fd20f7d239be
Dec 12 15:03:46 Non-Meraki / Client VPN negotiationmsg: invalid DH group 19.
Dec 12 15:03:46 Non-Meraki / Client VPN negotiationmsg: invalid DH group 20.
Dec 12 15:03:46 Non-Meraki / Client VPN negotiationmsg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Dec 12 15:02:59 Non-Meraki / Client VPN negotiationmsg: invalid DH group 19.
Dec 12 15:02:59 Non-Meraki / Client VPN negotiationmsg: invalid DH group 20.
Dec 12 15:02:58 Non-Meraki / Client VPN negotiationmsg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Dec 12 15:01:05 Non-Meraki / Client VPN negotiationmsg: phase1 negotiation failed due to time up. 5c8c3fed81ed0dfa:344388c60cc91c1e
Dec 12 15:00:54 Non-Meraki / Client VPN negotiationmsg: unknown Informational exchange received.
Dec 12 15:00:54 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA deleted x.x.x.x[500]-x.x.x.x[500] spi:8019f7f3eac784dc:79e6de84ffa397eb
Dec 12 15:00:54 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA expired x.x.x.x[500]-x.x.x.x[500] spi:8019f7f3eac784dc:79e6de84ffa397eb
Dec 12 15:00:18 Non-Meraki / Client VPN negotiationmsg: phase1 negotiation failed due to time up. d3619ad0e8a97674:070ff11a8655461d
Dec 12 15:00:15 Non-Meraki / Client VPN negotiationmsg: invalid DH group 19.
Dec 12 15:00:15 Non-Meraki / Client VPN negotiationmsg: invalid DH group 20.
Dec 12 15:00:15 Non-Meraki / Client VPN negotiationmsg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Dec 12 14:59:28 Non-Meraki / Client VPN negotiationmsg: invalid DH group 19.
Dec 12 14:59:28 Non-Meraki / Client VPN negotiationmsg: invalid DH group 20.
Dec 12 14:59:28 Non-Meraki / Client VPN negotiationmsg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
1 Accepted Solution
SoCalRacer
Kind of a big deal
6 Replies 6
Nash
Kind of a big deal

Okay, first up: Everyone is putting their account name, not domain.local\accountName, right?

 

RADIUS just needs the account name.

 

Second, the clients are testing from outside the work network? Hotspots can be used to test but they must ensure that the hotspot is not connected to the local wireless.

 

Third, Windows 10? I've got scripts in my signature that setup a Win10 saved VPN connection better. There's comments that describe what each bit does. One script for large deployments; the other for help desks that handle multiple clients.

SoCalRacer
Kind of a big deal

CiscoInstaller
Here to help

Thank you for both of those suggestions, they were very helpful.

 

Weirdly re-entering the pre-shared key on the Meraki side seemed to all the devices to connect.

 

This had been copy pasted to all of the configured machines in the same way but some were connecting and some were not. Re-pasting the same into the Meraki (even though it looked the same anyway using Show Secret) allowed all of the devices to connect without issue.

 

I guess there must have been some weird space or character translation or something in the saved PSK on the Meraki.

 

Thanks again for those suggestions, they were useful from a general understanding point of view.

Nash
Kind of a big deal

Essentially invisible trailing whitespace is the worst. I checked.

SoCalRacer
Kind of a big deal

Another reason to script this and use @Nash 's scripts!

MFIT
New here

Re-entering the pre-shared key did it for me!! Thanks
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels