Outlook prompts for password repeatedly over VPN client

carlosaob
New here

Outlook prompts for password repeatedly over VPN client

Hello,

 

I have an MX84 with site to site VPN and Client VPN enabled.  Site to site is working without any issues however users utilizing Client VPN are constantly being prompted for their password in MS Outlook.

 

Client VPN has a subnet 10.59.100.0/24 with our internal Custom Nameservers.  The authentication is done with Meraki Cloud.

 

It happens to different windows operating systems and different MS Outlook versions.  

 

When checking connection Status in MS Outlook I can see all everything is Established under the Status column, then after a couple of minutes Exchange Mail disconnects and I get the password prompt.
It was suggested to verify DNS settings in Client VPN  but when testing with nslookup everything resolves fine.

Any suggestions?

Thanks

7 REPLIES 7
NSGuru
Getting noticed

Hi @carlosaob,

 

I have faced issues like this in the past as well.  What type of server are you using is it exchange or office 365? 

 

I see that you have the custom name servers setup, did you also go into advanced and set your internal DNS suffix? Are there any subnets the client VPN should be able to reach that it is not allowed to yet at this time? If you are using site to site VPN and connecting at one site and exchange is on the other you will need to make sure the client vpn subnet can communicate across the site to site VPN as well. Please let me know  

 

 

Cloud Network Engineer | cloudIT
Certified Meraki Networking Associate

Kudo this if it helped! 🙂

Hi @NSGuru

 

We have a hosted Exchange 2010 at the MX84 location Main subnet 192.168.100.xx

Two remote sites with MX64 each and DHCP runing in the MX. Site to site VPN as I mentioned works without any issues with 192.168.110.xx and 192.168.120.xx  Those clients can reach Exchange with no problems, outlook doesn't prompt for a password.

 

DHCP is not running in the MX84 location where Exchange server lives and where VPN clients are connecting to. Domain Controller has DHCP running.

I don't see an option to add DNS suffix, I guess because DHCO is not running in the MX84?

One of the setbacks I’ve faced with meraki client vpn is that it does not dynamically add local DNS server to the computer. You have to manually add the dns servers on the windows network adapter by going to properties of adapter tcp/ipv4 settings set static DNS and also have to manually add dns suffix under advanced then select dns tab and enter dns suffix at bottom. Hope this helps let me know if you need a more detailed guide and I can allaborate further.

 

you also have to do the same with Mac and it’s dns settings not sure of its exact options however.

Cloud Network Engineer | cloudIT
Certified Meraki Networking Associate

Kudo this if it helped! 🙂

Okay I see what you are saying. I made those modifications in the adapter but I kept having the same behavior.
I decided to change the authentication method in Client VPN to Active Directory and that solved the problem. No more prompts.
PhilipDAth
Kind of a big deal
Kind of a big deal

Is your AD domain perhaps the same as your external public domain?

@PhilipDAth

 

No, it is not.

Joel-McGowan
Conversationalist

This Might help 

 

I ran into a problem using the meraki authentication with the vpn client. Had to change the registry setting below to 1. Mapped drives where authenticating with the meraki credentials instead of the domain. Might not apply here but its worth a shot.

1.) You can set the value of the following key to 1, Hkey_Local_Machine\System\CurrentControlSet\Control\Lsa\DisableDomainCreds. This turns off the caching off credentials and forces your domain credentials to be used when accessing resources on both the local and remote network.

 

https://www.reddit.com/r/meraki/comments/4w07gu/meraki_mx84_client_vpn_cannot_connect_to_mapped/

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels