---

@Mr_IT_Guy wrote:

I had an issue earlier this year where there was a bug with the modem that was not allowing VPN tunnels to be established. I went back and forth with the ISP for about a week before they finally were able to confirm it was a issue with their device.

---

Did you find a work-around on the device limitation?  Public Static with Pass-thru or using Bridged Mode?  

---

@cmiarshvac wrote:

---

---

Did you find a work-around on the device limitation?  Public Static with Pass-thru or using Bridged Mode?  

---

The ISP had to come out and swap to a different brand model modem.

---

---

Did you find a work-around on the device limitation?  Public Static with Pass-thru or using Bridged Mode?  

---

A dynamic IP should not be an issue. You will just need to make sure you update your VPN client config whenever the IP changes. I have had issues with doing port forwarding on modems... Your best bet is bridged mode and let the MX do its job.

Thanks. I switched to Bridged Mode. No Luck. Still getting this error in the MX Event Log.

"Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. 97eff8cb1938ceda:dac6857f41e24fb4"

Can you send a screenshot of your config in the dashboard and a screenshot of your phone config?

---

@Twiles wrote:

Can you send a screenshot of your config in the dashboard and a screenshot of your phone config?

---

Client Config from DashboardPhone config

@Twiles Here you go.  Man do I hope you see something here. I am also thinking that @Mr_IT_Guy comment of this being a device issue might be the root cause.  I appreciate all of the help on this. 

Dose your admin account have MFA enabled?

 

If yes try creating a test account without MFA.

 

If no try removing the system manager requirement just for testing, also changing your DNS nameservers to "Specify nameservers..." with your internal DNS server.

 

 

Thanks for the input. No internal DNS servers to specify on this network. I did create a separate Guest account to remove any gremlin that MFA or Administration might be causing.

No luck.

We've got a customer with that exact hardware configuration, but with a public IP.  Never had any issues with the Client VPN.

 

If you haven't tried this already, on your Comcast router you can navigate to Gateway>Firewall>IPv4>Custom Security settings and temporarily disable the entire Comcast firewall feature, then try your client VPN connection again.

 

Hope that helps.

 

 

Do you know if the customer uses any iOS 11.4 devices with the Client VPN? I am chasing a gremlin and would love some additional data points.

I'm able to connect from a device running iOS 11.4 without issue.  Just went to that network to verify the MX65 is running MX 13.33 with Advanced Security.  

@OCT_OMG Thank you for checking.  Can you confirm which method of authentication is being used?  Meraki Cloud, AD, RADIUS, etc.

Did you every try disabling the "Systems Manager Sentry VPN Security"?

Yes. Currently disabled. While working with Meraki Support we had to disable to get the macOS and Win10 connections flowing.

Meraki Cloud auth. Also using DDNS Hostname of MX instead of IP.

When configuring your VPN client just use the dynamic DNS name created within dashboard, then you never have to worry about the IP mapping in the client.

 

https://documentation.meraki.com/MX-Z/Other_Topics/Dynamic_DNS_(DDNS)#Enabling_Dynamic_DNS

---

@Twiles wrote:

Is there a reason why you do not want to use bridged mode?

---

No reason.  That was just the initial condition.  I was using the Gateway device's wifi for existing clients and guest access but I can do that easily with the MX.  I'll try bridged mode to see if there is a difference.