cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX65 behind a Comcast Gateway Can't get Client VPN working

Getting noticed

MX65 behind a Comcast Gateway Can't get Client VPN working

Hi all, 

 

I have been working with support on this but wanted to see if anyone in the community can tell me where I am going wrong.  Here is my setup.

 

 

I cannot establish a Client VPN from the iOS device.  I receive the timeout error.  In the Event Logs on the MX I am seeing this:

 

Non-Meraki / Client VPN negotiation        msg: phase1 negotiation failed due to time up. a88f1461deeac4b7:421d9537544f3581

 

I am still working with support but if you have seen this problem and know the issue, let me know.  I don't have a Public Static IP and I am trying to do this without buying one if this is even possible.  Is there some method to increase the allowable negotiation time?  

20 REPLIES 20
A model citizen

Re: MX65 behind a Comcast Gateway Can't get Client VPN working

I had an issue earlier this year where there was a bug with the modem that was not allowing VPN tunnels to be established. I went back and forth with the ISP for about a week before they finally were able to confirm it was a issue with their device.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Getting noticed

Re: MX65 behind a Comcast Gateway Can't get Client VPN working


@Mr_IT_Guy wrote:

I had an issue earlier this year where there was a bug with the modem that was not allowing VPN tunnels to be established. I went back and forth with the ISP for about a week before they finally were able to confirm it was a issue with their device.


Did you find a work-around on the device limitation?  Public Static with Pass-thru or using Bridged Mode?  

A model citizen

Re: MX65 behind a Comcast Gateway Can't get Client VPN working


@cmiarshvac wrote:


Did you find a work-around on the device limitation?  Public Static with Pass-thru or using Bridged Mode?  


The ISP had to come out and swap to a different brand model modem.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Here to help

Re: MX65 behind a Comcast Gateway Can't get Client VPN working



Did you find a work-around on the device limitation?  Public Static with Pass-thru or using Bridged Mode?  


A dynamic IP should not be an issue. You will just need to make sure you update your VPN client config whenever the IP changes. I have had issues with doing port forwarding on modems... Your best bet is bridged mode and let the MX do its job.

Getting noticed

Re: MX65 behind a Comcast Gateway Can't get Client VPN working

Thanks. I switched to Bridged Mode. No Luck. Still getting this error in the MX Event Log.

"Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. 97eff8cb1938ceda:dac6857f41e24fb4"
Here to help

Re: MX65 behind a Comcast Gateway Can't get Client VPN working

Can you send a screenshot of your config in the dashboard and a screenshot of your phone config?

Getting noticed

Re: MX65 behind a Comcast Gateway Can't get Client VPN working


@Twiles wrote:

Can you send a screenshot of your config in the dashboard and a screenshot of your phone config?


MX config.pngClient Config from DashboardPhone Config.pngPhone config

@Twiles Here you go.  Man do I hope you see something here. I am also thinking that @Mr_IT_Guy comment of this being a device issue might be the root cause.  I appreciate all of the help on this. 

Here to help

Re: MX65 behind a Comcast Gateway Can't get Client VPN working

Dose your admin account have MFA enabled?

 

If yes try creating a test account without MFA.

 

If no try removing the system manager requirement just for testing, also changing your DNS nameservers to "Specify nameservers..." with your internal DNS server.

 

 

Getting noticed

Re: MX65 behind a Comcast Gateway Can't get Client VPN working

Thanks for the input. No internal DNS servers to specify on this network. I did create a separate Guest account to remove any gremlin that MFA or Administration might be causing.

No luck.
Getting noticed

Re: MX65 behind a Comcast Gateway Can't get Client VPN working

We've got a customer with that exact hardware configuration, but with a public IP.  Never had any issues with the Client VPN.

 

If you haven't tried this already, on your Comcast router you can navigate to Gateway>Firewall>IPv4>Custom Security settings and temporarily disable the entire Comcast firewall feature, then try your client VPN connection again.

 

Hope that helps.

 

 

Getting noticed

Re: MX65 behind a Comcast Gateway Can't get Client VPN working

Do you know if the customer uses any iOS 11.4 devices with the Client VPN? I am chasing a gremlin and would love some additional data points.
Getting noticed

Re: MX65 behind a Comcast Gateway Can't get Client VPN working

I'm able to connect from a device running iOS 11.4 without issue.  Just went to that network to verify the MX65 is running MX 13.33 with Advanced Security.  

Getting noticed

Re: MX65 behind a Comcast Gateway Can't get Client VPN working

@OCT_OMG Thank you for checking.  Can you confirm which method of authentication is being used?  Meraki Cloud, AD, RADIUS, etc.

Here to help

Re: MX65 behind a Comcast Gateway Can't get Client VPN working

Did you every try disabling the "Systems Manager Sentry VPN Security"?

Getting noticed

Re: MX65 behind a Comcast Gateway Can't get Client VPN working

Yes. Currently disabled. While working with Meraki Support we had to disable to get the macOS and Win10 connections flowing.
Getting noticed

Re: MX65 behind a Comcast Gateway Can't get Client VPN working

Meraki Cloud auth. Also using DDNS Hostname of MX instead of IP.
Meraki Employee

Re: MX65 behind a Comcast Gateway Can't get Client VPN working

When configuring your VPN client just use the dynamic DNS name created within dashboard, then you never have to worry about the IP mapping in the client.

 

https://documentation.meraki.com/MX-Z/Other_Topics/Dynamic_DNS_(DDNS)#Enabling_Dynamic_DNS

Here to help

Re: MX65 behind a Comcast Gateway Can't get Client VPN working

Is there a reason why you do not want to use bridged mode?

Getting noticed

Re: MX65 behind a Comcast Gateway Can't get Client VPN working


@Twiles wrote:

Is there a reason why you do not want to use bridged mode?


No reason.  That was just the initial condition.  I was using the Gateway device's wifi for existing clients and guest access but I can do that easily with the MX.  I'll try bridged mode to see if there is a difference. 

Getting noticed

Re: MX65 behind a Comcast Gateway Can't get Client VPN working

I wanted to thank everyone who responded.  I have been working with Meraki Support and this is where we are:

 

Comcast Gateway is in Bridged Mode

 

We have successfully negotiated the Client VPN on both Win10 and macOS.  

 

Still no luck with an iOS 11.4 device. Which makes me believe that is iOS related and not in the configuration of the MX or the gateway.  

 

If anyone has comments on a similar failure with iOS (11.4) Client VPN connections, I would love confirm that I am not insane 🙂

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.