Hi all,
I have been working with support on this but wanted to see if anyone in the community can tell me where I am going wrong. Here is my setup.
I cannot establish a Client VPN from the iOS device. I receive the timeout error. In the Event Logs on the MX I am seeing this:
Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. a88f1461deeac4b7:421d9537544f3581
I am still working with support but if you have seen this problem and know the issue, let me know. I don't have a Public Static IP and I am trying to do this without buying one if this is even possible. Is there some method to increase the allowable negotiation time?
I had an issue earlier this year where there was a bug with the modem that was not allowing VPN tunnels to be established. I went back and forth with the ISP for about a week before they finally were able to confirm it was a issue with their device.
@Mr_IT_Guy wrote:I had an issue earlier this year where there was a bug with the modem that was not allowing VPN tunnels to be established. I went back and forth with the ISP for about a week before they finally were able to confirm it was a issue with their device.
Did you find a work-around on the device limitation? Public Static with Pass-thru or using Bridged Mode?
@cmiarshvac wrote:Did you find a work-around on the device limitation? Public Static with Pass-thru or using Bridged Mode?
The ISP had to come out and swap to a different brand model modem.
Did you find a work-around on the device limitation? Public Static with Pass-thru or using Bridged Mode?
A dynamic IP should not be an issue. You will just need to make sure you update your VPN client config whenever the IP changes. I have had issues with doing port forwarding on modems... Your best bet is bridged mode and let the MX do its job.
Can you send a screenshot of your config in the dashboard and a screenshot of your phone config?
@Twiles wrote:Can you send a screenshot of your config in the dashboard and a screenshot of your phone config?
@Twiles Here you go. Man do I hope you see something here. I am also thinking that @Mr_IT_Guy comment of this being a device issue might be the root cause. I appreciate all of the help on this.
Dose your admin account have MFA enabled?
If yes try creating a test account without MFA.
If no try removing the system manager requirement just for testing, also changing your DNS nameservers to "Specify nameservers..." with your internal DNS server.
We've got a customer with that exact hardware configuration, but with a public IP. Never had any issues with the Client VPN.
If you haven't tried this already, on your Comcast router you can navigate to Gateway>Firewall>IPv4>Custom Security settings and temporarily disable the entire Comcast firewall feature, then try your client VPN connection again.
Hope that helps.
I'm able to connect from a device running iOS 11.4 without issue. Just went to that network to verify the MX65 is running MX 13.33 with Advanced Security.
@OCT_OMG Thank you for checking. Can you confirm which method of authentication is being used? Meraki Cloud, AD, RADIUS, etc.
Did you every try disabling the "Systems Manager Sentry VPN Security"?
When configuring your VPN client just use the dynamic DNS name created within dashboard, then you never have to worry about the IP mapping in the client.
https://documentation.meraki.com/MX-Z/Other_Topics/Dynamic_DNS_(DDNS)#Enabling_Dynamic_DNS
Is there a reason why you do not want to use bridged mode?
@Twiles wrote:Is there a reason why you do not want to use bridged mode?
No reason. That was just the initial condition. I was using the Gateway device's wifi for existing clients and guest access but I can do that easily with the MX. I'll try bridged mode to see if there is a difference.
I wanted to thank everyone who responded. I have been working with Meraki Support and this is where we are:
Comcast Gateway is in Bridged Mode
We have successfully negotiated the Client VPN on both Win10 and macOS.
Still no luck with an iOS 11.4 device. Which makes me believe that is iOS related and not in the configuration of the MX or the gateway.
If anyone has comments on a similar failure with iOS (11.4) Client VPN connections, I would love confirm that I am not insane 🙂