Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Multiple L2TP VPN connections failing

from_afar
Getting noticed
Wednesday
Wednesday

Multiple L2TP VPN connections failing

We have a few new MacBook pros on our network that I'm trying to get L2TP VPN working with. After initial config, everything seemed to be working fine. Now, however, it seems like if more than one is trying to connect, the L2TP server stops responding after the first connects and is connected. Pinging the endpoint works fine. I’ve tried reinstalling the VPN connection from scratch multiple times. I then created a VPN profile with Apple Configurator. One user installed the profile, connected fine, deleted the old VPN connection then could not connect anymore. The only thing that happened in the meantime was I installed the profile on another users laptop and connected fine which has me wondering if it is a DHCP issue? 
The client VPN page has a subnet set 192.168.3.0/24 The main VLAN/DHCP (we are using single VLAN) is 192.168.1.0/24. 

Do the appliances (auto-update mx-95) automatically handle client DHCP based on subnet entered on client vpn page?

 

Any other ideas what could be wrong appreciated. 

Labels:
0 Kudos
Subscribe
10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

Why don't you use the Anyconnect?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
from_afar
Getting noticed
Wednesday
Wednesday

I was hoping not to since it installs the socket filter and other stuff but I may have to resort to it if I can't get L2TP working. 

 

Thanks for the reply.

0 Kudos
Subscribe
Alejandro_F
Meraki Employee
Meraki Employee
Wednesday
Wednesday

Hi,

 

   The client VPN subnet is configurable just like the subnet size. If the subnet is a /24 it could handle 253 hosts. 

 

Edit the VPN interface and under Options, enable the 'Send all traffic over VPN connection'

 

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

 

 

https://community.meraki.com/t5/Security-SD-WAN/Client-vpn-dhcp/m-p/39907

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
Subscribe
In response to Alejandro_F
from_afar
Getting noticed
Wednesday
Wednesday

Thanks.

 

The send all traffic option is and has been set. Like I said, it was working fine until multiple people tried connecting at the same time.

0 Kudos
Subscribe
In response to from_afar
Alejandro_F
Meraki Employee
Meraki Employee
Wednesday
Wednesday

How users are authenticated? Meraki Cloud or AD? Is a different user configured for each computer?

 

Try connecting each device with a different user. Maybe you could create a fresh new user.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
Subscribe
In response to Alejandro_F
from_afar
Getting noticed
Thursday
Thursday

They authenticate via Meraki Cloud username and pass. Again, that doesn't seem to be the issue because as mentioned, the first user to connect connects fine. I'm wondering now if the issue was that they were all using the same WiFi. If for some reason because they were on the same wifi thereby the same public IP, if Meraki does some magic behind the scenes for NAT'ing or something that would cause multiple connections from the same public ip via L2TP to not work?

 

Thanks for the help. 

0 Kudos
Subscribe
BlakeRichardson
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

What are the event logs in your dashboard reporting. Client VPN does work on MacOS I have used it in the past without any issue. 

 

You mentioned DHCP issue, what I would try get each client device to connect one at a time and see if they are given the same DHCP address or not. It might not be entirely accurate because I don't know how Meraki MX deals with client VPN DHCP leases but I am assuming it works the same way as LAN DHCP in regard to lease time

btr.net.nz
Subscribe
In response to BlakeRichardson
from_afar
Getting noticed
Wednesday
Wednesday

There are some logs like this (note, 1.1.1.1 is WAN ip, 8.8.8.8 is client ip):

 

 

 

Jun 26 14:37:31 Client VPN Client VPN negotiation msg: <l2tp-over-ipsec-1|24658> CHILD_SA net-ipv4-1{24234} established with SPIs ccfc10d7(inbound) 093852d7(outbound) and TS 1.1.1.1/32[udp/l2f] === 8.8.8.8/32[udp/51365]
Jun 26 14:37:30 Client VPN Client VPN negotiation msg: <l2tp-over-ipsec-1|24658> IKE_SA l2tp-over-ipsec-1[24658] established between 1.1.1.1[1.1.1.1]...8.8.8.8[10.1.1.118]
Jun 26 11:22:27 Client VPN Client VPN negotiation msg: <l2tp-over-ipsec-1|24463> deleting IKE_SA l2tp-over-ipsec-1[24463] between 1.1.1.1[1.1.1.1]...8.8.8.8[10.1.1.176]
Jun 26 11:14:37 Client VPN Client VPN negotiation msg: <l2tp-over-ipsec-1|24463> CHILD_SA net-ipv4-1{24119} established with SPIs c33252da(inbound) 03ff14b1(outbound) and TS 1.1.1.1/32[udp/l2f] === 8.8.8.8/32[udp/59218]
Jun 26 10:46:40 Client VPN Client VPN authentication msg: Remote Client IP 8.8.8.8 sent termination request (Peer not responding)
Jun 26 10:46:37 Client VPN Client VPN authentication msg: Remote Client IP 8.8.8.8 sent termination request (Peer not responding)

 

The reason I was thinking it might be DHCP is that the first client that tries seems to connect without issue. It's the subsequent users who get rejected. The users are all in the office today so were trying on our WiFi (which is totally isolated from Meraki--i.e. not connected in any way except when VPN is connected).

 

Interestingly, when I check the client list, I do not see any of these clients at all. Not even the one that connected first and seemed to be working fine. There is not one entry in the clients list with an ip address that matches the subnet set for the Client VPN.

 

NB: I have installe secure client on all of their machines and that is working fine...I was hoping to avoid that but I couldn't wait any longer to get them connected.   

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

>if more than one is trying to connect, the L2TP server stops responding after the first connects and is connected.

 

I have seen this happen with broken CPE NAT implementations.

 

I assume they are trying to use L2TP/ipsec to your MX.  Does your MX have a public IP address on it, or does it sit behind some other device doing NAT?

Subscribe
In response to PhilipDAth
from_afar
Getting noticed
Thursday
Thursday

It has a public IP address. They are connecting to vpn.example.com which is CNAME'd to the Hostname abc-xyz.dynamic-m.com listed in the Appliance settings. 

 

I'm wondering now if the issue was that they were all using the same WiFi. If for some reason because they were on the same wifi thereby the same public IP, if Meraki does some magic behind the scenes for NAT'ing or something that would cause multiple connections from the same public ip via L2TP to not work?

 

Thanks for the reply. 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.