MX400 - Multiple Clients/Users experiencing intermittent disconnects while

StephenWhiteD3G
Here to help

MX400 - Multiple Clients/Users experiencing intermittent disconnects while

We have an MX400 for our office that has about ~150 clients who have been using it more heavily the last few months due to pandemic requiring people to work remotely. Over the past few months I have been noticing a lot more error messages in our in-house software and support tickets that are caused by the client VPN connections dropping while the users are in the middle of something on their machines. 

Since I am a software developer and not a network technician, I am not sure what exactly to look for regarding error messages in the Meraki logs and/or what specifically to look into regarding network hardware or other places to troubleshoot. From what I have seen, there are error messages in the Meraki logs like this:

Jul 30 14:32:12		Non-Meraki / Client VPN negotiation	msg: invalid DH group 20.
Jul 30 14:32:12		Non-Meraki / Client VPN negotiation	msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Jul 30 14:32:12		Non-Meraki / Client VPN negotiation	msg: IPsec-SA established: ESP/Transport 50.203.224.2[4500]->173.53.85.213[4500] spi=2374324258(0x8d855022)
Jul 30 14:32:12		Non-Meraki / Client VPN negotiation	msg: IPsec-SA established: ESP/Transport 50.203.224.2[4500]->173.53.85.213[4500] spi=185953308(0xb156c1c)
Jul 30 14:32:12		Non-Meraki / Client VPN negotiation	msg: ISAKMP-SA established 50.203.224.2[4500]-173.53.85.213[4500] spi:3ca688435499ae07:5fd9637ed1aa3a5a
Jul 30 14:32:12		Non-Meraki / Client VPN negotiation	msg: invalid DH group 19.
Jul 30 14:32:12		Non-Meraki / Client VPN negotiation	msg: invalid DH group 20.
Jul 30 14:32:12		Non-Meraki / Client VPN negotiation	msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Jul 30 14:32:12		Non-Meraki / Client VPN negotiation	msg: IPsec-SA established: ESP/Transport 50.203.224.2[4500]->73.147.101.13[4500] spi=3890187224(0xe7df8bd8)
Jul 30 14:32:12		Non-Meraki / Client VPN negotiation	msg: IPsec-SA established: ESP/Transport 50.203.224.2[4500]->73.147.101.13[4500] spi=147378926(0x8c8d2ee)
Jul 30 14:32:12		Non-Meraki / Client VPN negotiation	msg: ISAKMP-SA established 50.203.224.2[4500]-73.147.101.13[4500] spi:4077f2d5d83196e3:630fa977928bbf01
Jul 30 14:32:12		Non-Meraki / Client VPN negotiation	msg: invalid DH group 19.
Jul 30 14:32:12		Non-Meraki / Client VPN negotiation	msg: invalid DH group 20.
Jul 30 14:32:12		Non-Meraki / Client VPN negotiation	msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY

 

However I am not entirely sure if this is a symptom of the issue or if this is just noise.

The issue seems to typically occur with users who are connected to the VPN via wifi and not via ethernet. For example on my home PC, I have an ethernet connection and I can remain signed into the VPN for days without any disconnect. The users on wifi however will experience a disconnect after seemingly any length of time. 

At this point, I am looking for any suggestions on what to troubleshoot or investigate. I also would like to know if anyone thinks that this may be due to the fact the users are using poor wifi connections and that may be the more likely cause. Any help or advice would be greatly appreciated. 

 

3 Replies 3
cmr
Kind of a big deal
Kind of a big deal

The errors there are things that you might want to fix, the invalid DH group indicates that the client is trying to connect with a security set that the MX does not support, it might then simply be failing back to one that it does, or it might cause a pause in communications. 

 

Having said that we (like most companies) have the same change in working practices as you have and also the same issues. 

 

I started with a wireless connection and had loads of slowdown and disconnection issues, Outlook disconnecting and not reconnecting, file copy issues, slow application access etc.  I found out by chance that these issues were 95% related to an incompatibility between my home (Meraki MR55) WiFi and the WiFi chip in my work laptop (Intel 8260) as when I tried a wired connection at home it was much better.  I then found that it was only when the laptop was on battery power that the serious issues occurred and by disabling the chipset's power saving features it was almost perfect.  Since then I changed the wireless card to an AX200 and it works perfectly (for wireless), there are still minor issues and those are mostly resolved by using the wired connection.

 

The next thing I tried was using a spare MX64 that we had as an extension to the corporate SD-WAN by connecting it to the main hub in the datacenter as a spoke; with that setup I haven't had any issues at all in over 3 weeks.  The connection I have is an FTTC home package with 55Mbps download and 10Mbps upload, so nothing expensive.

 

Having assisted many of our other users with their home issues their connections are variably affected by all the above and a number are crippled by having ADSL lines with <10Mbps download and <1Mbps upload.  The only way in my opinion that you are going to get something half decent on that connection is to use Citrix/Terminal Services or a VDI setup.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
StephenWhiteD3G
Here to help

@cmr 

Thanks for the suggestions, we have a couple of users who are known to have this problem on an almost daily basis, so we can take a look at their laptops to see if we see any of these things.

Regarding the errors on the Meraki log, do you know if these types of errors would be caused by drivers/ethernet configuration settings on the client device or is there something else we should be looking for while on there?


And yes, we have a few users who have very slow internet and they are either forced to use other means (I.E. Verizon Jetpacks, mobile hot spot) or they have to work offline most of the time and then only connect just to do something like upload or download a file. I'd agree that a remote desktop / virtualization solution would be more ideal for them. But unfortunately that's something I can only push for at my organization; so I am not sure that can be implemented any time soon. 

PhilipDAth
Kind of a big deal
Kind of a big deal

First I would use a script to configure the client VPN on users machines.  Then you know they are setup identically.  I can recommend my client VPN wizard.

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html 

 

If you are having specific users having the problem repeatedly - check their ISP router firmware.  I have seen lots of problems with UDP NAT bugs breaking client VPN.  Some ISP routers do dumb things like faxed a fixed period for UDP NAT translations, which simply causes the VPN to stop working a specific amount of time after connecting.  Others maintain a table of a specific size dropping older entries as new ones are required.

So yeah, start by checking that.

 

Try an isolate the problem down further.  Is the user able to try a different Internet access (4G, someone else's house, cafe, etc).  Does the problem follow the user or does it only happen at their home?

 

Assuming the above doesn't narrow the issue down further, would you be able to buy a single Z3 and get the user to try that?

https://meraki.cisco.com/product/security-sd-wan/teleworker/z3/ 

That will help work out if it is the ISP (you now have the Z3 monitoring to look at) or the user machine.

 

 

And of course, not to miss the obvious, there are user errors ...

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels