We have a built-in Windows VPN connection to a Meraki MX Firewall with Radius authentication. All other users are on Windows 10 and can connect to the VPN except one particular user only, whose VPN connection suddenly stopped working. Keep getting below error when we try to connect to the VPN.
The user Domain\user dialed a connection named XXX VPN which has failed. The error code returned on failure is 718.
Appreciate any suggestions.
Solved! Go to solution.
Update: The client was getting to the MX but was failing to complete the IPsec negotiation. We ended up disabling and reenabling the domain user account in AD and it worked. Turns out disabling and enabling stuff can sometimes be a fix.
Does that user have „Dial-In rights“ ticked?
@CptnCrnch It's a radius authentication so on the user profile in DC; under "Dial-in' Tab "Control access through NPS Policy" is ticked.
OK, according to https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/error-codes-for-dial-up-vpn-... error code 718 means „PPP timeout“. Are you seing the client connecting to MX in the logs?
@CptnCrnch here is the log.
Mar 25 11:49:37 | Non-Meraki / Client VPN negotiation | msg: failed to begin ipsec sa negotiation. | |
Mar 25 11:49:37 | Non-Meraki / Client VPN negotiation | msg: no configuration found for 71.58.172.3. | |
Mar 25 11:49:37 | Non-Meraki / Client VPN negotiation | msg: ISAKMP-SA deleted 50.251.93.129[4500]-71.58.172.3[4500] spi:ad6965d1e1ee391c:50753a6a5b2dda65 | |
Mar 25 11:49:37 | Non-Meraki / Client VPN negotiation | msg: ISAKMP-SA expired 50.251.93.129[4500]-71.58.172.3[4500] spi:ad6965d1e1ee391c:50753a6a5b2dda65 | |
Mar 25 11:49:37 | Non-Meraki / Client VPN negotiation | msg: purged IPsec-SA proto_id=ESP spi=3934531562. | |
Mar 25 11:49:17 | Non-Meraki / Client VPN negotiation | msg: IPsec-SA established: ESP/Transport 50.251.93.129[4500]->71.58.172.3[4500] spi=3934531562(0xea842fea) | |
Mar 25 11:49:17 | Non-Meraki / Client VPN negotiation | msg: IPsec-SA established: ESP/Transport 50.251.93.129[4500]->71.58.172.3[4500] spi=4838986(0x49d64a) | |
Mar 25 11:49:16 | Non-Meraki / Client VPN negotiation | msg: ISAKMP-SA established 50.251.93.129[4500]-71.58.172.3[4500] spi:ad6965d1e1ee391c:50753a6a5b2dda65 | |
Mar 25 11:49:16 | Non-Meraki / Client VPN negotiation | msg: invalid DH group 19. | |
Mar 25 11:49:16 | Non-Meraki / Client VPN negotiation | msg: invalid DH group 20. | |
Mar 25 11:49:16 | Non-Meraki / Client VPN negotiation | msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY | |
Mar 25 11:49:08 | Non-Meraki / Client VPN negotiation | msg: failed to begin ipsec sa negotiation. | |
Mar 25 11:49:08 | Non-Meraki / Client VPN negotiation | msg: no configuration found for 71.58.172.3. |
Update: The client was getting to the MX but was failing to complete the IPsec negotiation. We ended up disabling and reenabling the domain user account in AD and it worked. Turns out disabling and enabling stuff can sometimes be a fix.
I did see this post but this issue does not apply to my issue. The problem is that the VPN adapter times out before it has a chance to reach the secondary RADIUS server listed in the MX. The user also has to have enough time to approve the DUO MFA request on their mobile device. As I mentioned the server does work if I place it first in the list. Ive contacted both Duo and Meraki. Meraki tried to play with the time out value from the Meraki side but its the VPN adapter on Windows computer that closes the session first.