Meraki VPN not connecting error code 789

jwinters99
Comes here often

Meraki VPN not connecting error code 789

I have an MX67 that i have followed the setup guides for allowing VPN.  I am running into the error code 789 on a Win 10 PC.  I have followed the trouble shooting guides but it still cant get it to work.  Can someone please provide a better explanation of what the port forwarding should look like?  Where does that need to be configured?  On the MX or at the local end users internet router?  I am unable to connect from an Iphone as well over LTE.  What am I missing in this setup?

13 REPLIES 13
Nash
Kind of a big deal

Is the public IP on your MX's WAN interface, or does the MX WAN have a private IP?

 

If you have a private IP showing on the MX, then your ISP's router should get changed to passthrough/bridge mode if at all possible. Your ISP can help with this if you aren't able to do it yourself.

 

Also, are you sure you had the PSK recorded correctly?

 

For Win10 btw, the general recommendation is to use a script for setup. I've got some in my signature that you're free to grab. Doesn't work on Win7.

jwinters99
Comes here often

Public IP on the MX Wan 1 port.  

 

PSK is correct.  For testing Ive simplified it.  

 

I dont know how to download, modify or run your script.  Can you give me guidance on that as well?

I figured out your script.  Ran it, still doesnt work.  Same result.  

ww
Kind of a big deal
Kind of a big deal

On  isp  router to mx wan ip

jwinters99
Comes here often

Tried this.  Still fails.  How is this supposed to work if the client is in a hotel or other public wifi?  They arent going to have the port forwarding available to them.  Here i have access to the router and its admin, out in the world i dont.

PhilipDAth
Kind of a big deal
Kind of a big deal

I've had problems in the past where the PSK was a complex string.  My guess is some VPN clients couldn't process those complex characters.

 

For a short test, try making the PSK something simple like "password" and see if that works.  If it does change it again but use less complex characters.

 

Also make sure the PSK does not have a trailing space.

Nash
Kind of a big deal

Ending PSK on punctuation can sometimes cause some strangeness. I automatically add an a-zA-Z character I think. 

 

Also just to confirm, you're not trying to connect to the VPN from inside the firewall right? While in the office with the firewall, I've had to disable wireless on a phone when testing either on the phone itself or testing a PC via its hotspot, to ensure it's on the cell signal.

It’s not a PSK issue.  I already tested this by just making it Cisco and it still fail.  I’ve disabled all firewall rules and Intrusion Prevention and detection.  It’s a straight shot into the site and nothing works.  I’ve tried the script to build the vpn and it fails.  Nothing works.  This is extremely frustrating.

Nash
Kind of a big deal

What do you see in a pcap on the WAN interface on the MX, when you're actively trying to make a VPN connection? You'll need the WAN IP of the device you're connecting in from, just so you can locate the traffic in the pcap.

 

And you're sure the credential is good right? If it's Meraki cloud, you can test at account.meraki.com

Not a dell machine.  Doesn’t work from IPhone either.  Nothing works.

A small number of carriers have started going with IPv6 as native transport.  These often can not tunnel client VPN connections that use IPSec.

Are you using the same carried for your fixed and mobile hot spot?  If so, what is that carrier?

 

Another possibility is that your carrier is filtering out traffic.

Something that has bitten me in the past was the PSK length. I had generated the PSK with my password manager and pasted it into the Meraki dashboard. Not realizing that the GUI shortened it. I pasted it into Windows too... And there you go password mismatch. I'm with @PhilipDAth , start with a simple password and then go more complex.

 

Also, with regards to your other question, port forwarding is only needed on the MX side, not on the client side. So no issue if you're in a hotel. If course firewall rules or proxies in the network the client is using can still block the tunnel from establishing.

 

Edit: Sorry, I missed the part that you already tried Cisco as PSK.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels