cancel
Showing results for 
Search instead for 
Did you mean: 

Meraki's fault? Microsoft's?

Meraki's fault? Microsoft's?

I guess it doesn't matter, because I can't very well throw away Windows 10. But I am about ready to throw this Meraki setup (MX 12.6)  in the trash.

 

Former set-up was old Cisco VPN and we used Shrew to establish VPN connections. Worked flawlessly every time. With Meraki, there's no dedicated client and of course Shrew doesn't work. So we have to use the native Windows 10 VPN client.

 

It starts out great - we add a VPN connection in the metro interface, then head to Adapter Options to finish the set-up. We select Properties for the newly-created VPN adapter and do all the settings indicated in the set-up guide:

(https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_OS_Configuration)

 

Back to the Network Connections screen. Right-click the just-configured VPN adapter and select Connect/Disconnect. Windows  takes me mack into Metro. Hit the Connect button, and it works.

 

But now, it's starting to fail us on a regular basis. All builds of Windows 10 (1607, 1703, and 1709). Without fail in these cases, it's switching from Unencrypted PAP to Microsoft CHAP.

 

Ok, so I set it back to PAP, apply and close out, and back to the metro interface to sign in. Except NOW the authentication method has changed from Username and Password to General, and the user's VPN credentials are gone!  If it re-enter that stuff, sometimes it works. Sometimes, it maddeningly changes the adapter settings AGAIN (back to CHAP), and it takes 3-5 tries for this to stick.

 

Not feeling really confident about sending users on the road with this. Providing a how-to/workaround to have employees do what I just described is no solution. 

 

Anybody else experiencing this? Please tell me there's a permanent fix. Barring that, I've searched and cannot find a compatible third-party VPN client. Is this thing just not meant to work in a Windows 10 environment? (OSX and iOS work great, FWIW).

12 REPLIES 12
Kind of a big deal

Re: Meraki's fault? Microsoft's?

It does sound like a MS issue, have you contacted support to see if there is a known issue or work around? 

 

I find MS built in VPN clients are awful at the best of times, have you tried any 3rd party software. The link below may work for you?

 

https://www.ncp-e.com/en/products/ipsec-vpn-client-suite/vpn-clients-for-windows-10-8-7-macos/

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI

Re: Meraki's fault? Microsoft's?

The black hole of MS support for a case like this is not appealing. They're going to send me right back to Meraki and round-and-round we go.

 

I've spent days researching this, to no avail. Is the bottom line here that this Meraki product doesn't support Windows 10? It's in the documentation, so I would presume it's supposed to. But here we are.

 

As I mentioned in my OP, I haven't been able to find any third-party VPN clients that would appear to work. 

 

What are other Windows 10 folks out there doing?

Conversationalist

Re: Meraki's fault? Microsoft's?

I have the exact same issue. Makes it real hard to keep the client VPN self service. 

Kind of a big deal

Re: Meraki's fault? Microsoft's?

This is definitely a Windows issue. I have seen this happen only a handful of times and only after the Win 10 build was upgraded (1607 -> 1709 for example). I'd suggest opening a case with Microsoft. 

 

We have a few hundred Win 10 users (all Win 10 Enterprise 1607 or 1703) connecting to Meraki MX VPN without a problem. 

MRCUR | CMNO #12
Kind of a big deal

Re: Meraki's fault? Microsoft's?

First upgrade to 13.28, which is the current "stable" and recommended code.  No point in running old code.

 

You can try the Client VPN trouble shooting guide:

https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN

 

Note that some brands of machines, like Dell, ship software on those machines that break the Microsoft VPN client:

https://community.meraki.com/t5/Network-Wide/Dell-Laptops-and-VPN-access/m-p/12826#M321

 

Lastly, rather than configuring the Client VPN via the GI you could try using Powershell, as it produces exactly the same predictable result each time you setup a machine:

http://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

Re: Meraki's fault? Microsoft's?

Thanks Philip. Will definitely consider the update to 13.28.

 

Tried the troubleshooting guide, and we don't have that Dell software on our machines.

 

I've  done the Powershell thing too. The problem isn't setting it up in a repeatable, predictable manner and getting it to work. It's the settings changing all on their own, at random times. I can run PS scripts until the cows come home, teach users how to do it - but it won't fix what I'm pretty much convinced is a MS bug. That, and I'm not keen on exposing the PSK to everybody. 

Highlighted

Re: Meraki's fault? Microsoft's?

I do wonder if there's a 'brute force' workaround, such as changing a registry key somewhere to make adapter / connection settings read-only...
Kind of a big deal

Re: Meraki's fault? Microsoft's?

Sorry my suggestion was to talk to Meraki support NOT MS support, this is something they might be aware of and my have a work around. 

 

 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Here to help

Re: Meraki's fault? Microsoft's?

...Another company here having the exact same issue on Windows 10 machines. Users are not happy. I know Microsoft will probably do nothing, but when will Meraki release more options for client VPN?

Getting noticed

Re: Meraki's fault? Microsoft's?

For those still having an issue getting Windows Client VPN to work with the MX, I can shed some light on what we learned and how we fixed it.

 

From our experience there are two types of reasons why the client VPN will not connect:

 

1. For Windows 10 you must edit the registry to allow VPN traffic to pass when the machine is behind a NAT. Enable UDP Encapsulation in the registry and reboot the machine. This will fix the issue most of the time.

 

https://support.microsoft.com/en-us/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t...

 

I have my registry key set to 2 and I can VPN into most customer networks.

 

2. The NAT device for whatever reason is not allowing the VPN connection. The NAT device is the firewall, or whatever device the computer is sitting behind. For example, we had a remote user behind an old SonicWALL firewall and after updating the firmware the VPN traffic was able to pass through the SonicWALL.

 

Another common one are those junk/crap Google WIFI mesh systems. Those WILL NOT pass VPN traffic, and if it does, it is only a matter of time until it stops working. The core issue is Google is unable to properly forward VPN traffic from the main router to the mesh WAPs properly, and they offer zero support. I got around this by opening the ports for VPN traffic and pointing it to a static IP, but that was a temp fix. We replaced the Google WIFI router system with a  Meraki and it 100% solved the issue.

 

At the end of the day, either your settings are wrong, you don't have UDP encapsulation enabled, or your remote device is behind a physical firewall that is not allowing the VPN to work.

Conversationalist

Re: Meraki's fault? Microsoft's?

Yap!! #MeToo!!

I experience the same behaviour. For weeks it runs without any problems and all of a sudden, Microsofts Windows begins to change the settings in VPN from PAP to CHAP and from Authentication mode User/Pass to General.

 

Its' really annoying and IT IS AN MS-ISSUE!

 

Greetings

Ami

Getting noticed

Re: Meraki's fault? Microsoft's?

I have a client with many users on a Meraki VPN, all with Windows 10.  I have noticed that time from time Windows 10 will not connect to any Windows based VPN, until after a reboot. 

 

I also noticed the VPN is much more reliable if it does not have saved credentials.  I have more times that I care to count  where the connection appeared to hang (requiring a reboot to get any VPN to work again).  I would then clear the credentials and the connection would work there after, every time.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.