MX84 Client VPN Failure with MX Cloud autentication

Noa-M
Here to help

MX84 Client VPN Failure with MX Cloud autentication

Has anyone seen this Windows Event Viewer Error Code 718? I'm trying to setup a client VPN to one of our sites but get this error. It tries to connect and I get a login prompt but fails with "The connection was terminated because the remote computer did not respond in a timely manner." The same logs repeat every try too. I've deleted and rebuilt the VPN connection many times. I'd appreciate any help because 718 is not on the help https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN. Thanks!

 

Feb 5 13:08:16 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA deleted IPx.x.x.118[4500]-x.x.x.146[4500] spi:5fada4c87aee2278:cd839c4b4a14cd46
Feb 5 13:08:16 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA expired IPx.x.x.118[4500]-x.x.x.188.146[4500] spi:5fada4c87aee2278:cd839c4b4a14cd46
Feb 5 13:08:16 Non-Meraki / Client VPN negotiationmsg: purged IPsec-SA proto_id=ESP spi=691213782.
Feb 5 13:07:36 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport x.x.x.118[4500]->x.x.x.146[4500] spi=691213782(0x293315d6)
Feb 5 13:07:36 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport x.x.x.118[4500]->x.x.x.146[4500] spi=173791877(0xa5bda85)
Feb 5 13:07:36 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA established x.x.x.118[4500]-x.x.x.146[4500] spi:5fada4c87aee2278:cd839c4b4a14cd46
Feb 5 13:07:36 Non-Meraki / Client VPN negotiationmsg: invalid DH group 19.
Feb 5 13:07:36 Non-Meraki / Client VPN negotiationmsg: invalid DH group 20.

Noa-M_0-1612559481466.png

 

4 REPLIES 4
PhilipDAth
Kind of a big deal
Kind of a big deal

The remote site seems to be sitting behind another device doing NAT.  Can you get rid of that so the public IP is directly on the remote MX itself?

 

Failing that, make sure udp/500 and UDP/4500 are NATed through to the remote MX.

 

Failing that, seem if there is a firmware upgrade for the device sitting in front of the remote MX.

The Public IP is directly connected to the MX84 and I'm testing from a Commercial Comcast circuit. The firmware says it's up to date:

 
Firmware
Up to date
Current version: MX 14.53
 

I'm going to look more into the UDP ports 500 and 4500. Thanks for the feedback!

 

Noa-M_0-1612568686926.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Do you have the same problem when the client connects from a different Internet connection - such as a 4G connection?

PhilipDAth
Kind of a big deal
Kind of a big deal

>The Public IP is directly connected to the MX84 and I'm testing from a Commercial Comcast circuit. 

 

To be clear, the MX84 uplink tab reports a public IP address on its WAN interface (not a private IP NATed to a public IP)?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels