VPN Client Connection Fails with error 718

Solved
Dennoh
Here to help

VPN Client Connection Fails with error 718

We have a built-in Windows VPN connection to a Meraki MX Firewall with Radius authentication. All other users are on Windows 10 and can connect to the VPN except one particular user only, whose VPN connection suddenly stopped working. Keep getting below error when we try to connect to the VPN.

 

 

 

 

The user Domain\user dialed a connection named XXX VPN which has failed. The error code returned on failure is 718.

 

 

 

 

  • Verified the user credentials are correct.
  • Reset the user password, retried the connection; got the same error.
  • Successfully connected to the VPN using my credentials on the user laptop.
  • Tried to connect using the user credentials on my laptop; got same error.
  • Re-created the VPN on user laptop; same error.
  • In our DC server, verified user has "Control access thru NPS Network Policy" checked.
  • Removed and re-added user to VPN security group in DC ,re-tested and got same error.
  • Verified the msRadiusServiceType attribute for the user in DC is <not set>

Appreciate any suggestions.

 

1 Accepted Solution
Dennoh
Here to help

Update: The client was getting to the MX but was failing to complete the IPsec negotiation. We ended up disabling  and reenabling the domain user account in AD  and it worked. Turns out disabling and enabling stuff can sometimes be a fix. 

View solution in original post

6 Replies 6
CptnCrnch
Kind of a big deal
Kind of a big deal

Does that user have „Dial-In rights“ ticked?

Dennoh
Here to help

@CptnCrnch  It's a radius authentication so on the user profile in DC; under "Dial-in' Tab "Control access through NPS Policy" is ticked.

CptnCrnch
Kind of a big deal
Kind of a big deal

OK, according to https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/error-codes-for-dial-up-vpn-... error code 718 means „PPP timeout“. Are you seing the client connecting to MX in the logs?

Dennoh
Here to help

@CptnCrnch  here is the log.

Mar 25 11:49:37 Non-Meraki / Client VPN negotiationmsg: failed to begin ipsec sa negotiation.
Mar 25 11:49:37 Non-Meraki / Client VPN negotiationmsg: no configuration found for 71.58.172.3.
Mar 25 11:49:37 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA deleted 50.251.93.129[4500]-71.58.172.3[4500] spi:ad6965d1e1ee391c:50753a6a5b2dda65
Mar 25 11:49:37 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA expired 50.251.93.129[4500]-71.58.172.3[4500] spi:ad6965d1e1ee391c:50753a6a5b2dda65
Mar 25 11:49:37 Non-Meraki / Client VPN negotiationmsg: purged IPsec-SA proto_id=ESP spi=3934531562.
Mar 25 11:49:17 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport 50.251.93.129[4500]->71.58.172.3[4500] spi=3934531562(0xea842fea)
Mar 25 11:49:17 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport 50.251.93.129[4500]->71.58.172.3[4500] spi=4838986(0x49d64a)
Mar 25 11:49:16 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA established 50.251.93.129[4500]-71.58.172.3[4500] spi:ad6965d1e1ee391c:50753a6a5b2dda65
Mar 25 11:49:16 Non-Meraki / Client VPN negotiationmsg: invalid DH group 19.
Mar 25 11:49:16 Non-Meraki / Client VPN negotiationmsg: invalid DH group 20.
Mar 25 11:49:16 Non-Meraki / Client VPN negotiationmsg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Mar 25 11:49:08 Non-Meraki / Client VPN negotiationmsg: failed to begin ipsec sa negotiation.
Mar 25 11:49:08 Non-Meraki / Client VPN negotiationmsg: no configuration found for 71.58.172.3.
Dennoh
Here to help

Update: The client was getting to the MX but was failing to complete the IPsec negotiation. We ended up disabling  and reenabling the domain user account in AD  and it worked. Turns out disabling and enabling stuff can sometimes be a fix. 

Dantech
Comes here often

I did see this post but this issue does not apply to my issue. The problem is that the VPN adapter times out before it has a chance to reach the secondary RADIUS server listed in the MX. The user also has to have enough time to approve the DUO MFA request on their mobile device. As I mentioned the server does work if I place it first in the list. Ive contacted both Duo and Meraki. Meraki tried to play with the time out value from the Meraki side but its the VPN adapter on Windows computer that closes the session first.

Get notified when there are additional replies to this discussion.