Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX75 Windows Remote Access VPM Client won't connect from Windows 11 PC using the Documented Settin

Solved
MichaelAdcock
Conversationalist
‎Mar 5 2024 12:52 PM
‎Mar 5 2024 12:52 PM

MX75 Windows Remote Access VPM Client won't connect from Windows 11 PC using the Documented Settin

We are in the process of upgrading to MX75 Firewalls and while testing the remote access VPN connections we have found that Windows 10 clients will establish a VPN connection, but Windows 11 clients will receive the error " The L2TP connection attempt failed because the security layer encounter a processing error during initial negotiations. I've used the settings in the screenshot below and on the Windows 11 PC I've tried Routing and Remote Access service and set to automatically start , but I still get the same error. 

MichaelAdcock_0-1709671715082.png

Has anyone experienced this and know of a workaround other that buying the AnyConnect licenses? 

Labels:
0 Kudos
Subscribe
1 Accepted Solution
MichaelAdcock
Conversationalist
‎Mar 7 2024 7:45 AM
‎Mar 7 2024 7:45 AM

This is the solution that worked for me:

Enable the Routing and Remote Access service and set to automatically start

Enable the IPSec Policy Agent service and set to automatically start

  1. Launch Registry Editor with admin rights.
  2. Go to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
  3. Open the Edit menu > New submenu and click DWORD (32-bit) Value.
  4. Paste AssumeUDPEncapsulationContextOnSendRule as the value name.
  5. Right-click AssumeUDPEncapsulationContextOnSendRule and choose Modify.
  6. At Value data, type 2.
  7. Set Base to Hexadecimal.
  8. Click OK.
  9. Go to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan
  10. Open the Edit menu > New submenu and click DWORD (32-bit) Value.
  11. Paste ProhibitIpSec as the value name.
  12. Right-click ProhibitIpSec and choose Modify.
  13. At Value data, type 0.
  14. Set Base to Hexadecimal.
  15. Click OK.
  16. Restart the PC.

View solution in original post

Subscribe
10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 5 2024 1:12 PM
‎Mar 5 2024 1:12 PM

You don't need buy the anyconnect license, it's recommend if you want to have Meraki support's, but you can use it without buy a license.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 5 2024 1:48 PM
‎Mar 5 2024 1:48 PM

That is not strictly correct.

 

You require a Secure Client AnyConnect licence for every user.  It is an honesty licence, so it is not enforced.  I imagine if the abuse gets too much, it will become enforced.

Subscribe
In response to PhilipDAth
MichaelAdcock
Conversationalist
‎Mar 5 2024 2:34 PM
‎Mar 5 2024 2:34 PM

So the product Meraki sold us doesn't work, so their solution is to pay an addition license fee? I don't feel that that is acceptable or ethical business practice.   

0 Kudos
Subscribe
In response to MichaelAdcock
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 5 2024 2:41 PM
‎Mar 5 2024 2:41 PM

I have given you the free options to try ...

 

Cisco Secure AnyConnect is better in every way (except price) than Microsoft VPN.  You don't have to use it - but it has so many benefits pretty much everyone does.

0 Kudos
Subscribe
In response to PhilipDAth
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 5 2024 3:31 PM
‎Mar 5 2024 3:31 PM

Yes, but the documentation is very clear that it will not stop working. The correct thing is to have the license, but the MX has no limitations.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 5 2024 1:22 PM
‎Mar 5 2024 1:22 PM

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Licensing_o...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 5 2024 1:31 PM
‎Mar 5 2024 1:31 PM

Check the troubleshooting documentation.

.https://documentation.meraki.com/MX/Client_VPN/Guided_Client_VPN_Troubleshooting/Unable_to_Connect_t...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 5 2024 1:51 PM
‎Mar 5 2024 1:51 PM

This may be related to the MX75's firmware version. Perhaps try upgrading or downgrading. I would be most tempted to test 18.107.8 or 18.208 (18.208 seems to have been issued with 1:1 NAT, though).

 

You can try using my wizard to generate a powershell script to configure the VPN.  It also configures a couple of registry entries that airs in compatibility.

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

 

 

Taking a step back and looking at the big picture, I would personally change to using Cisco Secure Client AnyConnect.  It is better in every way (except price).

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance 

0 Kudos
Subscribe
jbright
A model citizen
‎Mar 5 2024 6:28 PM
‎Mar 5 2024 6:28 PM

Take a look at this article: https://community.meraki.com/t5/Security-SD-WAN/Connecting-to-VPN-from-Windows-11/m-p/173543

Microsoft took away some of the settings in the native Windows 11 VPN client that were present in the Windows 10 VPN client. But if you run the rasphone.exe program, you can set the additional configurations items that are needed to connect to an MX from Windows 11. I have customers that are connecting to MX appliances from Windows 11 computers using the native VPN client everyday and it works fine.

Subscribe
MichaelAdcock
Conversationalist
‎Mar 7 2024 7:45 AM
‎Mar 7 2024 7:45 AM

This is the solution that worked for me:

Enable the Routing and Remote Access service and set to automatically start

Enable the IPSec Policy Agent service and set to automatically start

  1. Launch Registry Editor with admin rights.
  2. Go to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
  3. Open the Edit menu > New submenu and click DWORD (32-bit) Value.
  4. Paste AssumeUDPEncapsulationContextOnSendRule as the value name.
  5. Right-click AssumeUDPEncapsulationContextOnSendRule and choose Modify.
  6. At Value data, type 2.
  7. Set Base to Hexadecimal.
  8. Click OK.
  9. Go to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan
  10. Open the Edit menu > New submenu and click DWORD (32-bit) Value.
  11. Paste ProhibitIpSec as the value name.
  12. Right-click ProhibitIpSec and choose Modify.
  13. At Value data, type 0.
  14. Set Base to Hexadecimal.
  15. Click OK.
  16. Restart the PC.
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.