Only one VPN client per public IP

Solved
Abe13
Conversationalist

Only one VPN client per public IP

Hi, 

I'm fairly new to Meraki, I inherited a preconfigured network and there's little to no documentation about what was done.

 

Long story short, now that everyone is working from home, I noticed that only one vpn client is allowed per public IP, meaning that employees who share an internet connection, can't use the VPN at the same time. After the first client connects, the second one will get error 809 and the troubleshooting steps don't fix the issue, only disconnecting the first machine will allow the second to connect.

 

I've been searching through the configuration and documentation but haven't found a restriction of this kind.

Has anyone else had the same issue?

1 Accepted Solution
Abe13
Conversationalist

They're using the native vpn client, we couldn't get other clients to work with Meraki.

Btw, I found the solution, I checked the firmware as suggested yesterday and it was already running the Beta version but it wouldn't allow me to roll back to the latest stable version (something about the Beta being installed for too long).

 

I noticed that scheduling a firmware downgrade was allowed, so I gave it a shot, firmware downgraded successfully and now the VPN is working almost as expected. 

 

I'm still having issues with AD authentication but at least Meraki's built in authentication method works.

View solution in original post

9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal

Try adding the AssumeUDPEncapsulationContextOnSendRule registry key.

 

https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809 

Abe13
Conversationalist

Already tried the registry key but that didn't work, btw, this happens to everyone, even I did a test at home and got the same result, computer 1 connects, computer 2 doesn't 

Assuming it's a NAT issue on the ISP's side, that will turn into a nightmare, I know of at least 2 pairs of users that don't have control over their ISP's modem.

I'll try working with a user that has a regular setup first and see if something can be done.

Thanks!

PhilipDAth
Kind of a big deal
Kind of a big deal

You may find upgrading the firmware on the user's ISP router also resolves it (it is a NAT issue).

PhilipDAth
Kind of a big deal
Kind of a big deal

You could try a newer firmware version of the MX in depseration.

Abe13
Conversationalist

Haha I'm past the desperation point but I don't want to break anything else... yet. 

I wanted to make sure if it could be an issue with the current configuration / device or if it was just normal behavior.

I'll post my results after talking to the ISP

Aaron_Wilson
A model citizen

Does the soft client work different than say a Z3? I have never had issues with multiple Z3/MX at home for testing behind a single NAT router. But I have never tested the soft client.

PhilipDAth
Kind of a big deal
Kind of a big deal

They use completely different mechanisms.

BlakeRichardson
Kind of a big deal
Kind of a big deal

@Abe13  Are the client devices using Windows native VPN client or other 3rd party software? 

 

Have you opened a support case about this? 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Abe13
Conversationalist

They're using the native vpn client, we couldn't get other clients to work with Meraki.

Btw, I found the solution, I checked the firmware as suggested yesterday and it was already running the Beta version but it wouldn't allow me to roll back to the latest stable version (something about the Beta being installed for too long).

 

I noticed that scheduling a firmware downgrade was allowed, so I gave it a shot, firmware downgraded successfully and now the VPN is working almost as expected. 

 

I'm still having issues with AD authentication but at least Meraki's built in authentication method works.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels