Multiple L2TP VPN connections failing

from_afar
Building a reputation

Multiple L2TP VPN connections failing

We have a few new MacBook pros on our network that I'm trying to get L2TP VPN working with. After initial config, everything seemed to be working fine. Now, however, it seems like if more than one is trying to connect, the L2TP server stops responding after the first connects and is connected. Pinging the endpoint works fine. I’ve tried reinstalling the VPN connection from scratch multiple times. I then created a VPN profile with Apple Configurator. One user installed the profile, connected fine, deleted the old VPN connection then could not connect anymore. The only thing that happened in the meantime was I installed the profile on another users laptop and connected fine which has me wondering if it is a DHCP issue? 
The client VPN page has a subnet set 192.168.3.0/24 The main VLAN/DHCP (we are using single VLAN) is 192.168.1.0/24. 

Do the appliances (auto-update mx-95) automatically handle client DHCP based on subnet entered on client vpn page?

 

Any other ideas what could be wrong appreciated. 

22 Replies 22
alemabrahao
Kind of a big deal
Kind of a big deal

Why don't you use the Anyconnect?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
from_afar
Building a reputation

I was hoping not to since it installs the socket filter and other stuff but I may have to resort to it if I can't get L2TP working. 

 

Thanks for the reply.

Alejandro_F
Meraki Employee
Meraki Employee

Hi,

 

   The client VPN subnet is configurable just like the subnet size. If the subnet is a /24 it could handle 253 hosts. 

 

Edit the VPN interface and under Options, enable the 'Send all traffic over VPN connection'

 

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

 

 

https://community.meraki.com/t5/Security-SD-WAN/Client-vpn-dhcp/m-p/39907

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
from_afar
Building a reputation

Thanks.

 

The send all traffic option is and has been set. Like I said, it was working fine until multiple people tried connecting at the same time.

How users are authenticated? Meraki Cloud or AD? Is a different user configured for each computer?

 

Try connecting each device with a different user. Maybe you could create a fresh new user.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
from_afar
Building a reputation

They authenticate via Meraki Cloud username and pass. Again, that doesn't seem to be the issue because as mentioned, the first user to connect connects fine. I'm wondering now if the issue was that they were all using the same WiFi. If for some reason because they were on the same wifi thereby the same public IP, if Meraki does some magic behind the scenes for NAT'ing or something that would cause multiple connections from the same public ip via L2TP to not work?

 

Thanks for the help. 

I've also suspected this but haven't confirmed

BlakeRichardson
Kind of a big deal
Kind of a big deal

What are the event logs in your dashboard reporting. Client VPN does work on MacOS I have used it in the past without any issue. 

 

You mentioned DHCP issue, what I would try get each client device to connect one at a time and see if they are given the same DHCP address or not. It might not be entirely accurate because I don't know how Meraki MX deals with client VPN DHCP leases but I am assuming it works the same way as LAN DHCP in regard to lease time

There are some logs like this (note, 1.1.1.1 is WAN ip, 8.8.8.8 is client ip):

 

 

 

Jun 26 14:37:31 Client VPN Client VPN negotiation msg: <l2tp-over-ipsec-1|24658> CHILD_SA net-ipv4-1{24234} established with SPIs ccfc10d7(inbound) 093852d7(outbound) and TS 1.1.1.1/32[udp/l2f] === 8.8.8.8/32[udp/51365]
Jun 26 14:37:30 Client VPN Client VPN negotiation msg: <l2tp-over-ipsec-1|24658> IKE_SA l2tp-over-ipsec-1[24658] established between 1.1.1.1[1.1.1.1]...8.8.8.8[10.1.1.118]
Jun 26 11:22:27 Client VPN Client VPN negotiation msg: <l2tp-over-ipsec-1|24463> deleting IKE_SA l2tp-over-ipsec-1[24463] between 1.1.1.1[1.1.1.1]...8.8.8.8[10.1.1.176]
Jun 26 11:14:37 Client VPN Client VPN negotiation msg: <l2tp-over-ipsec-1|24463> CHILD_SA net-ipv4-1{24119} established with SPIs c33252da(inbound) 03ff14b1(outbound) and TS 1.1.1.1/32[udp/l2f] === 8.8.8.8/32[udp/59218]
Jun 26 10:46:40 Client VPN Client VPN authentication msg: Remote Client IP 8.8.8.8 sent termination request (Peer not responding)
Jun 26 10:46:37 Client VPN Client VPN authentication msg: Remote Client IP 8.8.8.8 sent termination request (Peer not responding)

 

The reason I was thinking it might be DHCP is that the first client that tries seems to connect without issue. It's the subsequent users who get rejected. The users are all in the office today so were trying on our WiFi (which is totally isolated from Meraki--i.e. not connected in any way except when VPN is connected).

 

Interestingly, when I check the client list, I do not see any of these clients at all. Not even the one that connected first and seemed to be working fine. There is not one entry in the clients list with an ip address that matches the subnet set for the Client VPN.

 

NB: I have installe secure client on all of their machines and that is working fine...I was hoping to avoid that but I couldn't wait any longer to get them connected.   

PhilipDAth
Kind of a big deal
Kind of a big deal

>if more than one is trying to connect, the L2TP server stops responding after the first connects and is connected.

 

I have seen this happen with broken CPE NAT implementations.

 

I assume they are trying to use L2TP/ipsec to your MX.  Does your MX have a public IP address on it, or does it sit behind some other device doing NAT?

from_afar
Building a reputation

It has a public IP address. They are connecting to vpn.example.com which is CNAME'd to the Hostname abc-xyz.dynamic-m.com listed in the Appliance settings. 

 

I'm wondering now if the issue was that they were all using the same WiFi. If for some reason because they were on the same wifi thereby the same public IP, if Meraki does some magic behind the scenes for NAT'ing or something that would cause multiple connections from the same public ip via L2TP to not work?

 

Thanks for the reply. 

>I'm wondering now if the issue was that they were all using the same WiFi.

 

I have had this issue a lot in the past.  Nothing to do with Meraki.  It's that the CPE used for the WiFi will have a buggy NAT implementation.  The machine to most recently use the NAT for the VPN causes any existing NAT for other machines to be deleted.

 

Sometimes a firmware update of the CPE fixes it.

tweedle-dumb
Here to help

I'm having the exact same problem at one of my sites. In our case, both sites are using Meraki MX/MR/MS all the way from top to bottom. We have a site that we do not wish to allow to participate in Mesh VPN, but we want certain users to be able to connect to our main site's client VPN, like they do at home. It seems that only one user can connect at a time from that office. Their client VPNs work fine at home. Most use Macs.

from_afar
Building a reputation

It seems like it's an issue with people being on the same WiFi network--something with the way Meraki SecureClient handles the networking--for some reason the first one to connect wins then anyone else trying just fails. It also seems like once multiple people try, if the first disconnects, they cannot connect again. I never did find a solution. I was trying to use IPSec, but had a lot of trouble with that on our Macs too which is why we were forced to use AnyConnect, but if you can get IPSec working, that might solve the issue. 

 

Just curious: what equipment are the WiFi users connecting through? Here we are using Ubiquiti. Wondering if it might be them.

 

Sorry couldn't be more helpful. 

This is unresolved for me, so the proof has no pudding to be in yet, but we do have a solution in the works -- and it's firmware. Bear in mind that I'm using two Meraki MXs here, one of which is not participating in Mesh, so it's a standalone site, but we still have some users who need to get to stuff, so they use the remote site's client VPN.

 

When one person connects to the remote site's client VPN, that person gets to use port 4500 for their connection, so local MX port 4500 is in use. The local MX tries to connect the next person by using a different port (PAT), but the remote site is only expecting to see 4500, and it doesn't know what to do with a client VPN connection that doesn't come from port 4500, and so only one person can connect at a time. I saw this in pcaps and then confirmed with Meraki support.

 

Per Meraki Support, my solution is either to downgrade to 18.1xx and then upgrade to 18.2xx or to drop temporarily from multi-core (which apparently 18.2xx introduced) to single-core and then bump back up to multi-core after that. Both require a reboot.

 

I hope this solves it for me (and for you, too!).

Disabling multi-core fixed the problem for me. Confirmed. Meraki Support had to perform that for me. I didn't downgrade the firmware. A future firmware release should re-enable multi-core and hopefully fix the VPN problem.

XINSING
Conversationalist

Hi, 

 

Please try downgrade to Firmware MX 18.107.10.

This is how I worked with Cisco service for 3 weeks to reach the solution. 
Good luck!

 

XINSING
Conversationalist

P.S. Our Meraki is MX85. 

DavidSoto
New here

Hi, I am having the same issue. We are using MX85 with the firmware MX 18.211.2, how can I downgrade to MX 18.107.10?

Put in a ticket to Meraki Support. They can either downgrade the firmware or disable multi-core without downgrading firmware, and then the next firmware version should re-enable multi-core and fix the problem (based on what I understood from my support experience). Disabling multi-core is actually fewer moving parts since downgrading will disable multi-core anyway.

Awesome, thank you!

KiloSeven
Conversationalist

I am also having Client VPN issues reaching my MX67. I haven't used VPN for a year on my Mac. I recently tried to connect to the MX67 network over VPN, no settings were changed and it didn't work. 

I tried the following firmware, 18.211.2, 18.211.3 and 19.1.3 with no luck.

 

Last time the Client VPN worked was in 2023. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels