MX65 behind a Comcast Gateway Can't get Client VPN working

cmiarshvac
Getting noticed

MX65 behind a Comcast Gateway Can't get Client VPN working

Hi all, 

 

I have been working with support on this but wanted to see if anyone in the community can tell me where I am going wrong.  Here is my setup.

 

 

I cannot establish a Client VPN from the iOS device.  I receive the timeout error.  In the Event Logs on the MX I am seeing this:

 

Non-Meraki / Client VPN negotiation        msg: phase1 negotiation failed due to time up. a88f1461deeac4b7:421d9537544f3581

 

I am still working with support but if you have seen this problem and know the issue, let me know.  I don't have a Public Static IP and I am trying to do this without buying one if this is even possible.  Is there some method to increase the allowable negotiation time?  

20 Replies 20
Mr_IT_Guy
A model citizen

I had an issue earlier this year where there was a bug with the modem that was not allowing VPN tunnels to be established. I went back and forth with the ISP for about a week before they finally were able to confirm it was a issue with their device.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
cmiarshvac
Getting noticed


@Mr_IT_Guy wrote:

I had an issue earlier this year where there was a bug with the modem that was not allowing VPN tunnels to be established. I went back and forth with the ISP for about a week before they finally were able to confirm it was a issue with their device.


Did you find a work-around on the device limitation?  Public Static with Pass-thru or using Bridged Mode?  

Mr_IT_Guy
A model citizen


@cmiarshvac wrote:


Did you find a work-around on the device limitation?  Public Static with Pass-thru or using Bridged Mode?  


The ISP had to come out and swap to a different brand model modem.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Twiles
Here to help



Did you find a work-around on the device limitation?  Public Static with Pass-thru or using Bridged Mode?  


A dynamic IP should not be an issue. You will just need to make sure you update your VPN client config whenever the IP changes. I have had issues with doing port forwarding on modems... Your best bet is bridged mode and let the MX do its job.

cmiarshvac
Getting noticed

Thanks. I switched to Bridged Mode. No Luck. Still getting this error in the MX Event Log.

"Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. 97eff8cb1938ceda:dac6857f41e24fb4"
Twiles
Here to help

Can you send a screenshot of your config in the dashboard and a screenshot of your phone config?

cmiarshvac
Getting noticed


@Twiles wrote:

Can you send a screenshot of your config in the dashboard and a screenshot of your phone config?


Client Config from DashboardClient Config from DashboardPhone configPhone config

@Twiles Here you go.  Man do I hope you see something here. I am also thinking that @Mr_IT_Guy comment of this being a device issue might be the root cause.  I appreciate all of the help on this. 

Twiles
Here to help

Dose your admin account have MFA enabled?

 

If yes try creating a test account without MFA.

 

If no try removing the system manager requirement just for testing, also changing your DNS nameservers to "Specify nameservers..." with your internal DNS server.

 

 

cmiarshvac
Getting noticed

Thanks for the input. No internal DNS servers to specify on this network. I did create a separate Guest account to remove any gremlin that MFA or Administration might be causing.

No luck.
OCT_OMG
Getting noticed

We've got a customer with that exact hardware configuration, but with a public IP.  Never had any issues with the Client VPN.

 

If you haven't tried this already, on your Comcast router you can navigate to Gateway>Firewall>IPv4>Custom Security settings and temporarily disable the entire Comcast firewall feature, then try your client VPN connection again.

 

Hope that helps.

 

 

cmiarshvac
Getting noticed

Do you know if the customer uses any iOS 11.4 devices with the Client VPN? I am chasing a gremlin and would love some additional data points.
OCT_OMG
Getting noticed

I'm able to connect from a device running iOS 11.4 without issue.  Just went to that network to verify the MX65 is running MX 13.33 with Advanced Security.  

cmiarshvac
Getting noticed

@OCT_OMG Thank you for checking.  Can you confirm which method of authentication is being used?  Meraki Cloud, AD, RADIUS, etc.

Twiles
Here to help

Did you every try disabling the "Systems Manager Sentry VPN Security"?

cmiarshvac
Getting noticed

Yes. Currently disabled. While working with Meraki Support we had to disable to get the macOS and Win10 connections flowing.
OCT_OMG
Getting noticed

Meraki Cloud auth. Also using DDNS Hostname of MX instead of IP.
Chad_Yates
Meraki Employee
Meraki Employee

When configuring your VPN client just use the dynamic DNS name created within dashboard, then you never have to worry about the IP mapping in the client.

 

https://documentation.meraki.com/MX-Z/Other_Topics/Dynamic_DNS_(DDNS)#Enabling_Dynamic_DNS

Twiles
Here to help

Is there a reason why you do not want to use bridged mode?

cmiarshvac
Getting noticed


@Twiles wrote:

Is there a reason why you do not want to use bridged mode?


No reason.  That was just the initial condition.  I was using the Gateway device's wifi for existing clients and guest access but I can do that easily with the MX.  I'll try bridged mode to see if there is a difference. 

cmiarshvac
Getting noticed

I wanted to thank everyone who responded.  I have been working with Meraki Support and this is where we are:

 

Comcast Gateway is in Bridged Mode

 

We have successfully negotiated the Client VPN on both Win10 and macOS.  

 

Still no luck with an iOS 11.4 device. Which makes me believe that is iOS related and not in the configuration of the MX or the gateway.  

 

If anyone has comments on a similar failure with iOS (11.4) Client VPN connections, I would love confirm that I am not insane 🙂

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels