Meraki

Community

MX75 Windows Remote Access VPM Client won't connect from Windows 11 PC using the Documented Settin

Solved
MichaelAdcock
Conversationalist
‎Mar 5 2024 12:52 PM
‎Mar 5 2024 12:52 PM

MX75 Windows Remote Access VPM Client won't connect from Windows 11 PC using the Documented Settin

We are in the process of upgrading to MX75 Firewalls and while testing the remote access VPN connections we have found that Windows 10 clients will establish a VPN connection, but Windows 11 clients will receive the error " The L2TP connection attempt failed because the security layer encounter a processing error during initial negotiations. I've used the settings in the screenshot below and on the Windows 11 PC I've tried Routing and Remote Access service and set to automatically start , but I still get the same error. 

MichaelAdcock_0-1709671715082.png

Has anyone experienced this and know of a workaround other that buying the AnyConnect licenses? 

Labels:
0 Kudos
1 Accepted Solution
MichaelAdcock
Conversationalist
‎Mar 7 2024 7:45 AM
‎Mar 7 2024 7:45 AM

This is the solution that worked for me:

Enable the Routing and Remote Access service and set to automatically start

Enable the IPSec Policy Agent service and set to automatically start

  1. Launch Registry Editor with admin rights.
  2. Go to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
  3. Open the Edit menu > New submenu and click DWORD (32-bit) Value.
  4. Paste AssumeUDPEncapsulationContextOnSendRule as the value name.
  5. Right-click AssumeUDPEncapsulationContextOnSendRule and choose Modify.
  6. At Value data, type 2.
  7. Set Base to Hexadecimal.
  8. Click OK.
  9. Go to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan
  10. Open the Edit menu > New submenu and click DWORD (32-bit) Value.
  11. Paste ProhibitIpSec as the value name.
  12. Right-click ProhibitIpSec and choose Modify.
  13. At Value data, type 0.
  14. Set Base to Hexadecimal.
  15. Click OK.
  16. Restart the PC.

View solution in original post

11 Replies 11
alemabrahao
Kind of a big deal
‎Mar 5 2024 1:12 PM
‎Mar 5 2024 1:12 PM

You don't need buy the anyconnect license, it's recommend if you want to have Meraki support's, but you can use it without buy a license.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 5 2024 1:48 PM
‎Mar 5 2024 1:48 PM

That is not strictly correct.

 

You require a Secure Client AnyConnect licence for every user.  It is an honesty licence, so it is not enforced.  I imagine if the abuse gets too much, it will become enforced.

In response to PhilipDAth
MichaelAdcock
Conversationalist
‎Mar 5 2024 2:34 PM
‎Mar 5 2024 2:34 PM

So the product Meraki sold us doesn't work, so their solution is to pay an addition license fee? I don't feel that that is acceptable or ethical business practice.   

0 Kudos
In response to MichaelAdcock
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 5 2024 2:41 PM
‎Mar 5 2024 2:41 PM

I have given you the free options to try ...

 

Cisco Secure AnyConnect is better in every way (except price) than Microsoft VPN.  You don't have to use it - but it has so many benefits pretty much everyone does.

0 Kudos
In response to PhilipDAth
alemabrahao
Kind of a big deal
‎Mar 5 2024 3:31 PM
‎Mar 5 2024 3:31 PM

Yes, but the documentation is very clear that it will not stop working. The correct thing is to have the license, but the MX has no limitations.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
alemabrahao
Kind of a big deal
‎Mar 5 2024 1:22 PM
‎Mar 5 2024 1:22 PM

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Licensing_o...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
alemabrahao
Kind of a big deal
‎Mar 5 2024 1:31 PM
‎Mar 5 2024 1:31 PM

Check the troubleshooting documentation.

.https://documentation.meraki.com/MX/Client_VPN/Guided_Client_VPN_Troubleshooting/Unable_to_Connect_t...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 5 2024 1:51 PM
‎Mar 5 2024 1:51 PM

This may be related to the MX75's firmware version. Perhaps try upgrading or downgrading. I would be most tempted to test 18.107.8 or 18.208 (18.208 seems to have been issued with 1:1 NAT, though).

 

You can try using my wizard to generate a powershell script to configure the VPN.  It also configures a couple of registry entries that airs in compatibility.

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

 

 

Taking a step back and looking at the big picture, I would personally change to using Cisco Secure Client AnyConnect.  It is better in every way (except price).

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance 

0 Kudos
jbright
A model citizen
‎Mar 5 2024 6:28 PM
‎Mar 5 2024 6:28 PM

Take a look at this article: https://community.meraki.com/t5/Security-SD-WAN/Connecting-to-VPN-from-Windows-11/m-p/173543

Microsoft took away some of the settings in the native Windows 11 VPN client that were present in the Windows 10 VPN client. But if you run the rasphone.exe program, you can set the additional configurations items that are needed to connect to an MX from Windows 11. I have customers that are connecting to MX appliances from Windows 11 computers using the native VPN client everyday and it works fine.

MichaelAdcock
Conversationalist
‎Mar 7 2024 7:45 AM
‎Mar 7 2024 7:45 AM

This is the solution that worked for me:

Enable the Routing and Remote Access service and set to automatically start

Enable the IPSec Policy Agent service and set to automatically start

  1. Launch Registry Editor with admin rights.
  2. Go to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
  3. Open the Edit menu > New submenu and click DWORD (32-bit) Value.
  4. Paste AssumeUDPEncapsulationContextOnSendRule as the value name.
  5. Right-click AssumeUDPEncapsulationContextOnSendRule and choose Modify.
  6. At Value data, type 2.
  7. Set Base to Hexadecimal.
  8. Click OK.
  9. Go to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan
  10. Open the Edit menu > New submenu and click DWORD (32-bit) Value.
  11. Paste ProhibitIpSec as the value name.
  12. Right-click ProhibitIpSec and choose Modify.
  13. At Value data, type 0.
  14. Set Base to Hexadecimal.
  15. Click OK.
  16. Restart the PC.
In response to MichaelAdcock
MackStudios
New here
‎Feb 28 2025 12:06 PM
‎Feb 28 2025 12:06 PM

I am having the exact same issue however am not getting any results from the solution .   I am getting that error on WIN 10 and WIN 11 machines alike.  I am moving from a SonicWall system to this MX75 and the VPN is the only part I dont have functioning to put it in place, any assistance is greatly appreciated.  

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.