Meraki

Community

Meraki MX64 to MX75 Upgrade broke L2TP client vpn

MyronW
Just browsing
‎Oct 4 2024 1:54 AM
‎Oct 4 2024 1:54 AM

Meraki MX64 to MX75 Upgrade broke L2TP client vpn

We have upgraded from a MX64 to MX75 and the configuration was copied from the old Meraki to the new one and the when we tested the client VPN after the upgrade it appeared to be working with no problems. However it seems to be intermittent and fails often. With the error "The L2TP connection attempt failed because the security layer encountered a processing error during inital negotiations with the remote computer" however might work possibly half an hour layer. We use a RADIUS authentication method using duo however we tried swapping back to active directory and this also is having the same issue.

 

We are unsure of what is causing this and would love some feedback help.

 

Just strange that it works for a while and then fails again. 

Labels:
0 Kudos
4 Replies 4
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Oct 4 2024 7:36 AM
‎Oct 4 2024 7:36 AM

It's a purely IPsec thing.  So before the authentication.

You should try to capture on the WAN interface on port 500 and port 4500 to see what is exactly happening especially if your MX is behind a NAT.

0 Kudos
In response to GIdenJoe
MyronW
Just browsing
‎Oct 11 2024 7:20 AM
‎Oct 11 2024 7:20 AM

The MX isnt behind a NAT I dont believe, and how do I capture the ports? pretty new to this stuff

0 Kudos
In response to MyronW
pmhaske
Meraki Employee
Meraki Employee
‎Oct 11 2024 2:27 PM
‎Oct 11 2024 2:27 PM

Hello @MyronW,

 

Packet captures can be taken from the dashboard by going to Network-wide > Monitor > Packet capture page. You'd need to capture it on the WAN interface—more details are below.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Packet_Capture_Overvi...

In response to MyronW
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Oct 12 2024 2:30 AM
‎Oct 12 2024 2:30 AM

Here you go:

GIdenJoe_0-1728725394200.png

Once you start capture, have the other user try to connect to the VPN.
If you wait too long the capture will stop too soon so you'll have to be on the phone to do this correctly.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.