Mac L2TP/IPSEC VPN to MX ClientVPN troubles

Solved
rafaelertel
Here to help

Mac L2TP/IPSEC VPN to MX ClientVPN troubles

Hey All,

 

I have my Mac configured for L2TP/IPSEC to connect to my Hub MX.  I can connect, route correctly, but then get booted after a minute or so and get the:

 

"You were disconnected because the PPP server is not responding. Try reconnecting."  message. 

 

My Mac is running 10.13.6.

 

I've seen mentions of icmp keep alives not being able to get back and forth as a possible cause, and if there is indeed anything other than UDP 500 and 4500 involved in maintaining the connection I can see why I'd have issues...  Anyone familiar with this and know how to fix it?

 

Thanks!

 

rif

1 Accepted Solution
rafaelertel
Here to help

Final Update.  My Mac was totally faking me out!  Packet capture on the Hub showed my client tunneling back fine to the private address!  Not sure why the Mac displayed the public address etc...

 

rif

View solution in original post

9 Replies 9
DensyoV
Meraki Employee
Meraki Employee

Hi,

Are you only having the issue when using that Mac device? Also, have you tried connecting from different sources?
The client VPN uses IPsec protocol so UDP ports 500 and 4500 are used and should NOT involve other ports. You can also take a packet capture on The MX's Internet interface during the failure so you can see what is going on with the UDP traffic.

Thanks,
Please hit kudos if you found this post helpful and/or click "accept as solution" if this solved your problem.
rafaelertel
Here to help

Hi thanks for the reply.

 

Are you only having the issue when using that Mac device?”

 

*** So far I have only tested with this one device.

 

Also, have you tried connecting from different sources?”

 

*** no not yet

 

Yea i will have do some more testing with packet capturing i just wanted to make sure i wasn’t missing something obvious.

 

thanks,

 

rif

PhilipDAth
Kind of a big deal
Kind of a big deal

I've seen this before.  My personal guess is the CPE you are using at home has a hard configured UDP timeout of 60s.  See if their are any firmware upgrades for it.

rafaelertel
Here to help

Ok, I will check the router Verizon has provided for my home office.

thanks,

rif
SoCalRacer
Kind of a big deal

You might check this setting on the VPN profile on the Mac to disconnect.

 

SoCalRacer_0-1587653180650.png

 

rafaelertel
Here to help

Interesting, I do not have that option...

rif
rafaelertel
Here to help

An update to this thread.  I noticed that after connecting my desired route down the tunnel exists in my mac routing table, the proper DNS servers are present in the client, but the "host" command is returning the public address of the host I am trying to resolve internally.  Additionally and interestingly when i "ping" said host (by hostname) it resolves it correctly to the internal IP address.  Therefore when I try to browse to the URL of the host I am hoping to resolve to its internal IP... I get no love... it seems to want to use the public IP.  I've tried moving the VPN service up to the top of the order but to no avail.  I also found a Meraki doc that said by default the client is full tunnel and recommends one add the remote network manually but in reality I DO see the target subnet in my Macs routing table without adding it manually.

In summary I seem to have the correct DNS servers, the correct route and a stable vpn client connection but am not able to correctly resolve "internal or private" hosts correctly.  Any ideas?

 

rif

rafaelertel
Here to help

Final Update.  My Mac was totally faking me out!  Packet capture on the Hub showed my client tunneling back fine to the private address!  Not sure why the Mac displayed the public address etc...

 

rif

jpcaid
Here to help

Hi Rafael

 

How did you fix this in the end?

i read about dreytek vpn client can fix the constant disconnect.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels