I apologize in advance for the length. In an attempt to save from duplicating efforts, I chose to list the numerous troubleshooting I have already tried.
Problem:
Randomly, a Meraki ClientVPN client system is unable to communicate with any host using the FQDN, but is able to communicate using the hostname only. Server resources (i.e. file shares) are accessible via the hostname alone, but not via FQDN. Our ERP software requires the use of the FQDN.
This issue has now happened a sixth time in the past three weeks and because all our daily remote users are field sales reps, it's becoming very frustrating as they are down for long periods.
Configuration details:
Other behavior and unsuccessful troubleshooting steps:
We have transitioned all but two of our remote users from our old Cisco ASA solution using Anyconnect to the Meraki using Windows native L2TP. Given the ASA is still in play, I was able to use the Cisco Anyconnect VPN connection to the ASA which worked. I then disconnected from the ASA, reconnected to the Meraki but the issue persisted. I even removed the Anyconnect software and tested it just in case it somehow could have interfered.
I do not have v16.x firmware installed to be able to test using Anyconnect with the Meraki. I am highly contagious to installing RC firmware on our critical production hub security gateway device.
In all but one case, I had the user go back to using the ASA. For last user, I created HOSTS entries and left it at that because I had to get it working immediately and had already known this worked.
In all but one case, the issue resolved itself after the user had been disconnected from the Meraki (using the ASA in the interim) or when trying again the next day.
On one occasion, I was working from home when I received a call from a user having an issue. After trying the basics (reboot, etc.), I connected my PC to the Meraki with the user's VPN credentials and it worked fine. I then tried my credentials from the user's system and it DID work. After that moment, it was working fine again with the user's credentials. I had made no change between the moment it was not working and when it began working correctly - I merely logged on with that user's credentials from another PC. Unfortunately, I have not been able to re-test this method and cannot force the problem.
I spoke with support, but was unable to be on the phone with them while the issue was happening and thus they were unable to help. I cannot force the issue to occur.
Rebooting the MX during the issue is not an option as it will bring down all our 11 remote branches, and several third-party cloud services that have live links into our ERP software.
On the surface, this seems like a Windows issue, but the fact I can connect with Anyconnect to the ASA and it works, and how it weirdly resolves itself after some time has passed, leans me toward the MX.
Anyone else having this problem? Any ideas on what I can try the next time it happens?
First, bravo for the thorough testing and documentation of steps tried. More info always help.
While the problem is occurring have you been able to grab a capture from the VPN and LAN interfaces of the MX100?
Regretfully, I did not. I plan to the next time it happens.
Are the DNS servers configured to allow the VPN DHCP range to perform lookups?
There is no configuration on the DNS servers allowing or blocking any specific IP, IP range or domain.