Hello,
I am trying to setup a very basic client VPN connection in order to test it out and see if its something my company would move to using.
But I cant get event he most basic config to work 😛
I am testing with a MX67w firmware version MX 18.107.2
I have downloaded/installed the latest AnyConnect client from the dashboard.
In Security/SD-WAN I have gone into client VPN and enabled the AnyConnect settings.
Selected Meraki Cloud authentication
Put in a subnet I'm not using anywhere else
I have cert authentication to disabled, although while testing a turned it on and was expecting a choice of cert methods but I only get a single option to upload a cert file (guide says here should be an auto generated option)
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#How_to_Enable_AnyConne...
using google public dns
set my user account to allow VPN access.
Saved settings.
Then I copied the hostname and pasted it into the client and clicked connect - I don't get a credentials prompt, it just gives me an error after a while saying connection attempt timed out.
I am able to ping the MX's public IP no problem.
I'm using standard 443 port.
There isn't any firewall or other device between the ISP router and the MX.
Dunno what else to try.
Solved! Go to solution.
Bingo, then it won't work, you need a public IP configured directly on the WAN interface, an IP with NAT won't work anyway. That's what we're trying to explain to you.
Are you testing in the same location where MX is installed? If so, it won't work, you need to be on another network, you can route your mobile device's WiFi to test.
im on a separate network
no, no forwarding etc.
I can ping the hostname and see it get all the way to the mx ok. I made sure antivirus isn't blocking anything. I ran a packet capture on the mx during a connection attempt but couldn't see any relevant traffic - but then i couldn't see any traffic to my laptop during a successful ping test either.
The MX does have an inbound firewall enabled surprisingly with a block all rule. I didnt thin this would be blocking it but I added a allow all rule all the same and it still didn't help so i removed it again.
Being able to ping is not a valid test for me. I sent you a troubleshooting guide. But this seems to be a problem with your notebook or local network, nothing related to the MX.
I dont see anything in the log after i enabled the anyconnect server - i assume that means nothing is reaching the mx? I have no filters set so should be seeing everything
Yes, apparently there are no requests arriving at the MX, have you tried a packet capture? Any chance your Windows firewall or antivirus is blocking the connection attempt?
Check the troubleshooting guide.
Does the MX definitely have the public IP address on its WAN port?
in the appliance status page I can see WAN2 has the ip next to it with a green active sign.
If i go to uplink config the public ip is there again with a different DNS name than the VPN one.
Just to see if there was anything on my company laptop that cold be interfering, I grabbed a spare laptop, formatted it - connected to a guest wifi and tried again with nothing installed on the laptop except the VPN client. - I get the exact same message as my company laptop - connection attempt timed out.
If you have WAN 1 configured and it is configured as primary, the VPN client will not work on WAN2, either you use the WAN IP to connect or you change WAN2 to the primary traffic shaping configuration.
ah interesting.
both WANs are configured as dynamic. WAN 1 is enabled but not connected.
I disabled WAN1 and tried again - same error message.
Dynamic? So you don't have a public IP, right? You're behind a NAT, so it won't work.
Please provide more details of this connection if the understanding is wrong.
the MX is plugged directly into a BT router
Yes, but is the IP that is shown as highlighted public or private?
that one is private on the internal lan
Bingo, then it won't work, you need a public IP configured directly on the WAN interface, an IP with NAT won't work anyway. That's what we're trying to explain to you.
aaah I get you, cheers!
one last question - does this mean that if the primary WAN link goes down, it will drop all VPN connections?
If so, will they be able to re-connect on the secondary WAN?