Meraki

Community

VPN Connection Error 789

AdminTS
Comes here often
‎May 28 2024 5:38 AM
‎May 28 2024 5:38 AM

VPN Connection Error 789

We have set up the client VPN connection in MX64. No connection seems to be established with several clients. We have learned that the ports UDP 500 and UDP 4500 must be released. In the input rules in Layer 3, the two ports have been released (but when we check the ports, they are still considered closed). Our Internet router is running in bridge mode, just for information. We noticed that the VPN connection or no attempts arrive on the MX, which means that it must be due to the clients or do you agree? We therefore don't think that we need to make any further adjustments to the firewall. Although we have also enabled the ports in the clients, nothing else happens. Error 789 keeps appearing in the events in Windows. We can safely rule out the possibility of an input error. We have also tried to set up port forwarding for both ports in the MX. However, we cannot enter or save the public IP address of the MX as the destination. A message appears stating that this IP address has not been configured as a subnet. Are we making a mistake in the whole thing?

Labels:
0 Kudos
18 Replies 18
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 28 2024 6:06 AM
‎May 28 2024 6:06 AM

 

789 usually means the PSK is incorrect, but it can also appear when you have an incorrect credential OR when Windows changes the password protocol for you.

For testing, I recommend using your smartphone's hotspot that is not 100% on the same network as your firewall.



https://documentation.meraki.com/MX/Client_VPN/Guided_Client_VPN_Troubleshooting/Unable_to_Connect_t...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
AdminTS
Comes here often
‎May 28 2024 6:13 AM
‎May 28 2024 6:13 AM

I have already tested whether other clients also have problems with VPN. We can't connect to other clients either. So it can't be due to the clients.

0 Kudos
In response to AdminTS
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 28 2024 6:17 AM
‎May 28 2024 6:17 AM

See the troubleshooting guide.

 

You can try to generate a new connection using this website.


https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
AdminTS
Comes here often
‎May 28 2024 6:44 AM
‎May 28 2024 6:44 AM

Unfortunately, I cannot say how to deal with Powershell. I don't have enough experience. However, we have deleted and recreated the VPN that we set up under Windows several times. We assume that there is no error there.

0 Kudos
In response to AdminTS
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 28 2024 6:53 AM
‎May 28 2024 6:53 AM

You can do it, just generate the file and run it as administrator.

If you try a little, you can find how to do it just by searching on Google.

 

https://www.geeksforgeeks.org/how-to-run-powershell-script-from-cmd/

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
AdminTS
Comes here often
‎May 28 2024 6:57 AM
‎May 28 2024 6:57 AM

Even if you set up a VPN connection again with Powershell, it will not solve the problem. At least I am convinced that it will. In the end, it depends on the same thing whether you add the VPN manually or with Powershell.

0 Kudos
In response to AdminTS
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 28 2024 6:59 AM
‎May 28 2024 6:59 AM

You may be having some wrong configuration, with the link provided all the necessary parameters will be configured correctly.

I believe it's worth trying.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to AdminTS
rhbirkelund
Kind of a big deal
Kind of a big deal
‎May 28 2024 7:03 AM
‎May 28 2024 7:03 AM

It's seen many times before that a L2TP VPN configuratino breaks between Windows updates, resulting in having to reconfigure the VPN connection profile.

 

You don't need to forward udp/500 and udp/4500 on the MX. These should be open automatically, as soon as you enable ClientVPN. 

 

Could it be your upstream ISP router? I've seen before, that it needs to forward these ports to the MX instead.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
AdminTS
Comes here often
‎May 28 2024 7:32 AM
‎May 28 2024 7:32 AM

I have also often read that Windows updates can lead to problems.

Then I wasn't imagining it because of the ports. It wouldn't make much sense to open ports for Ipsec anyway.

We can't set port forwarding on the ISP router, as it no longer operates as a router, but only forwards the Internet (bridge mode).

0 Kudos
In response to AdminTS
rhbirkelund
Kind of a big deal
Kind of a big deal
‎May 28 2024 7:36 AM
‎May 28 2024 7:36 AM

As long as it's in bridge mode then, it should be ok.

 

If you do a PCAP on the MX Internet interface, do you see connections from the client, while initiating vpn connection?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
In response to rhbirkelund
AdminTS
Comes here often
‎May 28 2024 8:03 AM
‎May 28 2024 8:03 AM

No, unfortunately I don't see any records regarding VPN on the MX. This means that the connection does not even reach the MX. But because all clients cannot connect, the problem must not be with the clients or the MX. But I can't imagine there being a problem with the ISP router either.

0 Kudos
In response to AdminTS
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 28 2024 7:38 AM
‎May 28 2024 7:38 AM

Have you tried disabling the system firewall? Otherwise, my suggestion would still be to run PowerShell.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
AdminTS
Comes here often
‎May 28 2024 8:04 AM
‎May 28 2024 8:04 AM

You mean our Meraki Firewall or the Windows Firewall?

0 Kudos
AdminTS
Comes here often
‎May 28 2024 8:10 AM
‎May 28 2024 8:10 AM

I have deactivated the Windows firewall or the antivirus and nothing has changed.

0 Kudos
AdminTS
Comes here often
‎May 28 2024 8:27 AM
‎May 28 2024 8:27 AM

It doesn't seem to work with Any Connect either.

0 Kudos
In response to AdminTS
rhbirkelund
Kind of a big deal
Kind of a big deal
‎May 28 2024 9:23 AM
‎May 28 2024 9:23 AM

Something is dropping traffic from the client to the MX, so I would suggest you reach out to whoever manages your upstream ISP router, and see what happens there.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
In response to rhbirkelund
michel_naeher
New here
‎Jul 7 2024 6:18 AM
‎Jul 7 2024 6:18 AM

So you mean I should contact the provider with whom we have the Internet? We have just recently carried out a test with several clients and the same error occurs with all of them. So it must be a problem with the Internet provider or something is wrong with the modem. Do you agree with my assumption?

0 Kudos
AdminTS
Comes here often
‎Jul 15 2024 6:31 AM
‎Jul 15 2024 6:31 AM

I was finally able to solve the problem. I'd be happy to tell you how I finally managed to do it.

We have several WLAN networks and some of them were set up with VLAN tagging and not as bridged, but tunneled to a concentrator. We had to set this up so that all devices received the correct IP addresses. We briefly deleted this configuration and then undid it. Since then, we have also been able to establish a VPN connection. Everything works as it should.

However, the VPN connection does not work on the smartphone. No matter whether with Cisco AnyConnect or Android's own VPN solution. I'm still in the dark at the moment.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.