Meraki VPN Client

SOLVED
CarlosCoque
Here to help

Meraki VPN Client

Hi,

 

We're planning to deploy a Meraki network in here and since I have some of those free pieces of hardware from Meraki, I decided to do some testing.

 

My first mission was to configure a VPN access on the security appliance and try to connect to that from many different clients (iphone, android, windows, and mac basically).

 

For that, I followed the instructions from here: https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_OS_Configuration

 

Well, I'm not sure why, but on the iphone it did work easily, but on Windows 10 it simple doesn't work at all.

 

Both are connected to the same internet wireless connection, but when I connect with the Windows laptop it says that the server is not responding.

 

Has anyone had the same issues?

 

Thanks,

 

Carlos

 

Message from Meraki - April 2, 2020

 

Hi all. We hope you are all staying safe during these difficult times. One of the results of the current global situation is a large increase in remote work — and a large increase of traffic to this community thread.

 

Since this thread is a bit old / specific, we wanted to interject here to provide quick links to the most up-to-date information about Meraki VPN. For an overview of our VPN offering, please see our official documentation here. Also, for the latest updates live from the team, please visit this community thread.

 

Stay safe and be well.

 

- The Meraki Team

1 ACCEPTED SOLUTION

You are making progress. Check out this section: https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_789


Find my post helpful? Please give me a kudo!
CCNP Certified and Meraki Operator

View solution in original post

35 REPLIES 35
MilesMeraki
Head in the Cloud

Hello @CarlosCoque, What error message are you getting on your Windows 10 client? I assume it's giving you a Windows 809 error message? Refer to this article which explains how to fix, plus other fixes for other error codes.

 

https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

Hi WANKiller,

 

I had to connect the MX-64 on a modem using NAT for testing purposes.

 

I was initially getting error 809, then I opened the ports suggested in the Meraki troubleshooting documentation and now I'm getting error 789.

You are making progress. Check out this section: https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_789


Find my post helpful? Please give me a kudo!
CCNP Certified and Meraki Operator

Hi i am new on security appliences. I just bought mx 64 , but not license yet. I try to connect as client VPN with windows 10. But i can not. I try all possible solutions but i could not fix it.  I try port forward to UDP 500 and 4500 , i try DMZ  , i check IKE and AuthIP IPsec, i check  secret key. This is new claimed MX64, it says you can use device 30 days or something, but i dont have a license yet? is it a license problem?    

PhilipDAth
Kind of a big deal
Kind of a big deal

You need a licence to get Dashboard access to configure your MX64.  Without a licence you can't do anything.

I can access my dashboard when u order new device they give 30 day to test i think. I can access i can setup but i cant connect as client vpn user with windows 10 , windows 7 or android i try all of them.

PhilipDAth
Kind of a big deal
Kind of a big deal

Well if you can get to the Dashboard you should be ok.

 

Have you definitely enable Client VPN support in the Dashboard?

yes i have already enable client vpn on dash board. I get error 789. i follow troubleshooting on meraki page. but i could not connect. i try many platforms anroid, win7 , win10 . always i get same error 789.  I follow this instruction and many more, but nothing change. Please help. i am not proffesion on security appliences but i am a computer engineer. i try many thing. i guess i can not access my MX. I live in canada ,I try different modems homehub 3000 and homehub 1000 given from Bell service provider. In both i forward ports, i activate DMZ  nothing change.  how can i check my device is acccesable by internet? Thank you.

PhilipDAth
Kind of a big deal
Kind of a big deal

Are you connecting from the outside of the MX, rather than from the inside?  You can only bring up the VPN from the outside.

Ok. thank you for your advice. I search a lot and i found a solution. my MX is blocked by home hub 3000. Homehub 3000 is a fibe modem (Canada BELL Internet Service Provider gives)  which does not support pppoe. i connect a router WAN port to hh3000 LAN port. setup  router as PPPOE  with username and password to connect service (bell). And i forward ports 500 and 4500 to MX. After that i get a different error 809. i follow instructions on troubleshooting page  to ad a DWORD and it WORKS. Thank you.

cwal21
Getting noticed


@Chris_M wrote:

You are making progress. Check out this section: https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_789


Any ideas when using Windows 10 with Meraki and AD Authentication but no error message is ever received? The VPN state just continues to hang on "Connecting" status like below:

MerakiVPN.JPG

We've tried connecting via settings>>VPN and also using the shortcut from the network icon in the bottom right and same results occur...?

Followed all options from the below as well:

https://community.meraki.com/t5/Security-SD-WAN/Client-VPN-Issue/td-p/37181

https://www.geekshangout.com/vpn-connection-hangs-in-connecting/#comment-32375%C2%A0

 

Any assistance would be greatly appreciated! 

Still no dedicated client VPN Meraki? AnyConnect implementation to avoid these Windows bugs??

 

Nash
Kind of a big deal

So you don't find any error codes in Event Viewer. It just dies off?

 

The "overlay" between the standard Windows 10 method (click on network connector by clock, click VPN, login) is pretty wonky and will not always pass correctly to rasphone. Rasphone's what's doing the dialing at the end of the day.

 

Suggestions:

 

Windows-R, run rasphone.exe. Find your saved VPN there. Try to connect with rasphone and see if it goes through.

 

If it does, you can make a rasphone.exe shortcut. Create a shortcut on your desktop, and set the target to: C:\WINDOWS\system32\rasphone.exe -d "VPN NAME"

 

If it doesn't connect, delete and re-create the VPN connection. I like the scripts I put above, especially if you want a split tunnel connection. Read the script comments before you run - it does more than create a saved VPN connection. By default, it'll make a rasphone shortcut on the desktop.

cwal21
Getting noticed

@Nash  I appreciate the response and steps to try out. I gave it a go and the thing still just continues to stay stuck at "connecting" even with the rasphone method mentioned (Looked very promising btw). I blew all VPN adapters away and recreated via powershell and issue still persists. Not sure what else to try besides a case with Microsoft as I'm sure Meraki will send me their way since all other users are working just fine. Definitely open to any further suggestions at this point.

 

Thanks again!

Nash
Kind of a big deal

Two last things, @cwal21

 

Have you run the Network Reset utility in Win10? If you have and it's still broken...

 

Have you uninstalled and reinstalled the WAN miniadapters? Usually, it's sufficient to only do the L2TP one.

 

Here's the instructions I gave my help desk:

 
    1. As administrator, open Device Manager.
 
    2. Under View, select Show Hidden Devices:
 
    3. Under Network Adapters, find WAN Miniport (L2TP)
 
    4. Right click and select Uninstall Device. If it asks to uninstall the DRIVERS, click no.
 
 
    5. Reboot the computer. Windows should automatically reinstall the device.
 
    6. Test the VPN again.
cwal21
Getting noticed

Welp, the good news is the VPN started magically working again which i believe was after a pending Windows Update finally going through and installed. Bad news, i'm not sure what exactly solved the issue besides that update (You know good ol' Microsoft).

 

I did not try running the Network Reset utility in Win10, I wish I had to see if that may have resolved it, but was afraid to touch deep network settings as I was working remotely with the client a few states away and would have had trouble walking them through getting back online if the solution failed or didn't bring the system back online after the reset.

 

I did give the uninstall-reinstall WAN Mini adapters option a try and it did not work.

 

Thanks again for all of the assistance @Nash. Hopefully Meraki will eventually come out with a dedicated client similar to AnyConnect to help alleviate these Microsoft provided headaches!

I know this is an older thread, but I am having the identical problem that Carlos had. Android devices VPN in just fine to my MX65, but Windows 10 will not. The Windows devices are getting error 809. Carlos said he fixed this error by opening the ports in the Meraki documentation, but does not link to that document.

 

Does anyone know where that document is, or how to fix the 809 error?

 

Thanks.

Chris_M
Getting noticed

In the solution post, the link goes to the documentation that Carlos used.

 

For your specific error within that documentation, here you go: https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809

 

Hope this helps you.


Find my post helpful? Please give me a kudo!
CCNP Certified and Meraki Operator
ph0t0g
Getting noticed

Thanks. That got me passed the 809 error. Then I got another error saying "The connection was terminated..."

 

I googled that and came up with this article that fixed the problem.

 

http://help.vanishedvpn.com/support/solutions/articles/17000062078-how-to-fix-the-connection-was-ter...

 

 

Chris_M
Getting noticed

Sounds like you missed a step in the VPN configuration but I am glad you resolved it. In the allowed protocol, Unencrypted Password (PAP) is what is used and it appears you did not have that previously. So just a heads up for the next client, use that.

 

While the password is sent unencrypted, its going through an IPSec tunnel which is encrypted, so you should not be worried about exposing the password.


Find my post helpful? Please give me a kudo!
CCNP Certified and Meraki Operator

I cannot believe we are still seeing these posts...why have Meraki not got with the times yet and actually created a VPN client? I want to be able to push split/full tunneling to Windows/Mac/IOS devices and with the current solution it would be a nightmare, so i'm sticking with Watchguard firewalls until Meraki get their act together.

 

I'm sure the problems mentioned in this post would be resolved much quicker/easier if there was a cisco VPN client with logging capability on it.

Nash
Kind of a big deal

Windows 10 is a problem that can be dealt with. I've got some PowerShell scripts that create a split tunnel by default, so long as you feed them the appropriate subnets.

pmv800
Conversationalist

You can also create your own Meraki VPN :"agent" installer with Split Tunnels defined in them with Windows Server Connection Manager Administration Kit

I second this.  I feel like going to Meraki was great, but the client VPN is so 2008.

cwal21
Getting noticed

Exactly! - Pretty much my one solid complaint with the MX line.
PhilipDAth
Kind of a big deal
Kind of a big deal

Are you connecting from "outside" of the MX?  You can't VPN to it from behind it.

Jetpilot45
Conversationalist

@CarlosCoque 

I am having the same frustrating issue. I've spent over 3 hours trying to fix this VPN issue on windows 10-1709. iPhone/ipad with ios11 connects to my MX64 L2TP VPN so easily. My windows computer is on the same network as the phone and returns error 809 all day long and will never connect. Following the setup instructions from Meraki will not work on Windows 10. My MX64 is not behind a NAT. It is connected to a modem in bridge mode so it pulls a public IP.  I also completed the registry edit microsoft recommends but it's not the problem.

JanisG
Conversationalist

Does this happen to be a Dell system using wireless?

pmv800
Conversationalist

Yes that was my problem.  I will see if it is the wireless drivers.

JanisG
Conversationalist

I created another thread on the issue i found with newer Dell laptops and the Meraki VPN.  

 

https://community.meraki.com/t5/Network-Wide/Dell-Laptops-and-VPN-access/m-p/12826#M321

 

Newer Dell laptops have a piece of software called "SmartByte" I found this piece of software was blocking our access to our VPN. Once I disabled this software I was able to successfully log in to the VPN. To fix the issue launch the "SmartByte" software from the Start menu. There is an on off toggle, turn off "SmartByte" and you are able to connect. You are able to uninstall the software and it does no harm to the system.

thank you so much for posting this!  I have been fighting 2 dell laptops for 2 days and SmartByte was on them both.  Turning it off fixed the L2TP vpn connection on both of them.  THANK YOU!

Hello All,

 

I had deployment of this feature and now I doing testing based in VPN Client and for me it's working looking at Android plataform, however maybe there is timeout of the VPN.

 

After specific time VPN closed and I need to execute again the connection. I tried to figure out something about timeout of session but didn't find anything.

 

Do you know there is something in this way?


Kind Regards,
Rodrigo
Twitter: @rar_21
If this was helpful Kudo me 🙂

On newer new Dell PC's (XPS 13 here) it seems SmartByte has been replaced with "Killer Control Center." I just spent over an hour troubleshooting and trying to connect. The second I flipped the "Advanced Stream Detect" switch under Settings tab in Killer Control Center I was able to connect. I hate Dell and the amount of bloat they've started adding back in to new PCs.

bxdobs
Here to help

Not certain what is going on with my attempts to connect to a Meraki Z device using VPN Client  in WX Home (brand new out of the Box HP Laptop):

 

2 Laptops side by side (same local network and appliances); L1=W7 Home Premium   L2=WX Home

 

L1 connects to the Meraki Z VPN with no issues

Disconnect L1 and attempt to connect L2 with IDENTICAL credentials but the connection is denied

 

L2 reports the following VPN error

Can't connect to <name of VPN> VPN

The remote connection was denied because

the user name and password combination

you provided is not recognized, or the

selected authentication protocol is not

permitted on the remote access server

 

The L2 application events log shows a 691 error also suggesting the credentials don't match

 

The MZ log indicates the following common negotiation messages

- received broken Microsoft ID: MS NT5 ISAKMPOAKLEY

- invalid DH group 20.

- invalid DH group 19.

while L1 connects with the following negotiation message

- VPN client connected <local ip>

both display the following negotiation messages

- ISAKMP-SA established <MZ ip address>

- IPsec-SA established: ESP/Transport <connection details>

- IPsec-SA established: ESP/Transport <more connection details>

L2 does not connect and has a number of additional negotiation errors

- purged IPsec-SA proto_id=ESP

- ISAKMP-SA expired <MZ ip address>

- ISAKMP-SA deleted <MZ ip address>

- no configuration found for <local internet ip address>

- failed to begin ipsec sa negotiation.

 

I have followed the:

- Meraki troubleshooting guide

- Meraki W10 VPN Client instructions

 

Being I can connect via another machine with the same credentials with the only notable difference being the W10 Home 64b OS (All updates have been applied), I can only assume there is some issue within the W10 machine

 

All the 'Solutions' found on the net or in this forum thus far have NOT produced a solution

 

 

Please Disregard my previous posting ... tried another machine which had exactly the same results with W10 Pro 64b

 

Turns out in this case the 691 error was CORRECT ... there may be an issue with the Meraki Dashboard used from the latest Firefox browser ... I explicitly CHANGED the PW for the VPN User to something simple as a temporary test ... this temporary password apparently wasn't accepted by the dashboard ... don't recollect seeing any error message when I pressed the change button so will take a closer look at this as a possible issue

 

Anyway I have now put back the original PW and reset all users ... all working now 

 

 

Nash
Kind of a big deal


@bxdobs wrote:

Please Disregard my previous posting ... tried another machine which had exactly the same results with W10 Pro 64b

 

Turns out in this case the 691 error was CORRECT ... there may be an issue with the Meraki Dashboard used from the latest Firefox browser ... I explicitly CHANGED the PW for the VPN User to something simple as a temporary test ... this temporary password apparently wasn't accepted by the dashboard ... don't recollect seeing any error message when I pressed the change button so will take a closer look at this as a possible issue

 

Anyway I have now put back the original PW and reset all users ... all working now 

 

 


I've caught myself before by thinking I've hit save when I haven't, when the save button is all the way at the bottom of the web page. I feel your pain.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels