MX65 behind a Comcast Gateway Can't get Client VPN working

cmiarshvac
Getting noticed

MX65 behind a Comcast Gateway Can't get Client VPN working

Hi all, 

 

I have been working with support on this but wanted to see if anyone in the community can tell me where I am going wrong.  Here is my setup.

 

 

I cannot establish a Client VPN from the iOS device.  I receive the timeout error.  In the Event Logs on the MX I am seeing this:

 

Non-Meraki / Client VPN negotiation        msg: phase1 negotiation failed due to time up. a88f1461deeac4b7:421d9537544f3581

 

I am still working with support but if you have seen this problem and know the issue, let me know.  I don't have a Public Static IP and I am trying to do this without buying one if this is even possible.  Is there some method to increase the allowable negotiation time?  

20 REPLIES 20
Mr_IT_Guy
A model citizen

I had an issue earlier this year where there was a bug with the modem that was not allowing VPN tunnels to be established. I went back and forth with the ISP for about a week before they finally were able to confirm it was a issue with their device.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)


@Mr_IT_Guy wrote:

I had an issue earlier this year where there was a bug with the modem that was not allowing VPN tunnels to be established. I went back and forth with the ISP for about a week before they finally were able to confirm it was a issue with their device.


Did you find a work-around on the device limitation?  Public Static with Pass-thru or using Bridged Mode?  


@cmiarshvac wrote:


Did you find a work-around on the device limitation?  Public Static with Pass-thru or using Bridged Mode?  


The ISP had to come out and swap to a different brand model modem.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)



Did you find a work-around on the device limitation?  Public Static with Pass-thru or using Bridged Mode?  


A dynamic IP should not be an issue. You will just need to make sure you update your VPN client config whenever the IP changes. I have had issues with doing port forwarding on modems... Your best bet is bridged mode and let the MX do its job.

Thanks. I switched to Bridged Mode. No Luck. Still getting this error in the MX Event Log.

"Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. 97eff8cb1938ceda:dac6857f41e24fb4"

Can you send a screenshot of your config in the dashboard and a screenshot of your phone config?


@Twiles wrote:

Can you send a screenshot of your config in the dashboard and a screenshot of your phone config?


Client Config from DashboardClient Config from DashboardPhone configPhone config

@Twiles Here you go.  Man do I hope you see something here. I am also thinking that @Mr_IT_Guy comment of this being a device issue might be the root cause.  I appreciate all of the help on this. 

Dose your admin account have MFA enabled?

 

If yes try creating a test account without MFA.

 

If no try removing the system manager requirement just for testing, also changing your DNS nameservers to "Specify nameservers..." with your internal DNS server.

 

 

Thanks for the input. No internal DNS servers to specify on this network. I did create a separate Guest account to remove any gremlin that MFA or Administration might be causing.

No luck.

We've got a customer with that exact hardware configuration, but with a public IP.  Never had any issues with the Client VPN.

 

If you haven't tried this already, on your Comcast router you can navigate to Gateway>Firewall>IPv4>Custom Security settings and temporarily disable the entire Comcast firewall feature, then try your client VPN connection again.

 

Hope that helps.

 

 

Do you know if the customer uses any iOS 11.4 devices with the Client VPN? I am chasing a gremlin and would love some additional data points.

I'm able to connect from a device running iOS 11.4 without issue.  Just went to that network to verify the MX65 is running MX 13.33 with Advanced Security.  

@OCT_OMG Thank you for checking.  Can you confirm which method of authentication is being used?  Meraki Cloud, AD, RADIUS, etc.

Did you every try disabling the "Systems Manager Sentry VPN Security"?

Yes. Currently disabled. While working with Meraki Support we had to disable to get the macOS and Win10 connections flowing.

Meraki Cloud auth. Also using DDNS Hostname of MX instead of IP.

When configuring your VPN client just use the dynamic DNS name created within dashboard, then you never have to worry about the IP mapping in the client.

 

https://documentation.meraki.com/MX-Z/Other_Topics/Dynamic_DNS_(DDNS)#Enabling_Dynamic_DNS

Twiles
Here to help

Is there a reason why you do not want to use bridged mode?


@Twiles wrote:

Is there a reason why you do not want to use bridged mode?


No reason.  That was just the initial condition.  I was using the Gateway device's wifi for existing clients and guest access but I can do that easily with the MX.  I'll try bridged mode to see if there is a difference. 

cmiarshvac
Getting noticed

I wanted to thank everyone who responded.  I have been working with Meraki Support and this is where we are:

 

Comcast Gateway is in Bridged Mode

 

We have successfully negotiated the Client VPN on both Win10 and macOS.  

 

Still no luck with an iOS 11.4 device. Which makes me believe that is iOS related and not in the configuration of the MX or the gateway.  

 

If anyone has comments on a similar failure with iOS (11.4) Client VPN connections, I would love confirm that I am not insane 🙂

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels