MX64 Client VPN Cloud Auth Works - Radius Auth Fails with IPsec-SA expiration

Coupe2112
Getting noticed

MX64 Client VPN Cloud Auth Works - Radius Auth Fails with IPsec-SA expiration

I have configured a Client VPN on this MX device. When using Meraki Cloud authentication it works without issue. When I enable radius authentication it fails.

 

I have performed a packet capture on the radius server and see successful authentication requests validating that radius is functioning correctly. This is failing for both an Android client (ver. 9 build PPR2.181005.003) and Windows10 Enterprise (ver. 1709 build 16299.611)

 

Below are log entries. It looks to me like it's simply timing out.

 

Oct 29 08:28:15 Non-Meraki / Client VPN negotiation msg: ISAKMP-SA established x.x.x.x[4500]-y.y.y.y[4500] spi:f7576fb374b0f3a5:75cfbc1463066f9b
Oct 29 08:28:16 Non-Meraki / Client VPN negotiation msg: IPsec-SA established: ESP/Transport x.x.x.x[4500]->y.y.y.y[4500] spi=68336299(0x412baab)
Oct 29 08:28:16 Non-Meraki / Client VPN negotiation msg: IPsec-SA established: ESP/Transport x.x.x.x[4500]->y.y.y.y[4500] spi=125451427(0x77a3ca3)
Oct 29 08:28:21 Non-Meraki / Client VPN negotiation msg: purged IPsec-SA proto_id=ESP spi=125451427.
Oct 29 08:28:21 Non-Meraki / Client VPN negotiation msg: ISAKMP-SA expired x.x.x.x[4500]-y.y.y.y[4500] spi:f7576fb374b0f3a5:75cfbc1463066f9b
Oct 29 08:28:21 Non-Meraki / Client VPN negotiation msg: ISAKMP-SA deleted x.x.x.x[4500]-y.y.y.y[4500] spi:f7576fb374b0f3a5:75cfbc1463066f9b

 

My confusion is why the different behavior going from cloud auth to radius when I can confirm that radius is working.

 

Has anyone seen this before?  Any suggestions?

2 REPLIES 2
AdamB
Meraki Employee
Meraki Employee

hey @Coupe2112,

 

Those log entries indicating the tunnel is being torn down could be due to a failed RADIUS authentication attempt. In your packet capture did you see the server sending back an access-accept message? You could also run a capture on the LAN interface of the MX during the authentication process and make sure that the access-accept message is making it back to the MX.

Thanks.  If you read through my conversation with PhillipDAth you'll see that I did just that both on the radius server and the MX.  I was getting ACCEPT packets and they were being seen by the MX.  In the end, radius *was* failing between the client (MX) and server (M$ NPS) because the PSK was too complex and I needed to remove non-alphanumeric characters.

 

It doesn't explain why I was getting the ACCEPT which was seen by the MX and was failing between the LAN interface and the Client VPN.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels