VPN not connecting

SOLVED
ErnstTFD
Getting noticed

VPN not connecting

Hello,

 

I enabled Client VPN, configured a pre-shared key. I chose Meraki Cloud authentication and configured a new user with VPN authentication.

 

When I try to connect to the VPN form a remote system I get this error:

 

"The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer"

 

I copy/pasted the pre-shared key, the username and the password, so there cannot be a typing error.

 

I created and deleted the VPN connection three times. Every time I get the same error.

 

Any ideas what I might be doing wrong?

 

Capture2.PNGCapture.PNG

1 ACCEPTED SOLUTION
ErnstTFD
Getting noticed

The problem with this connection was with my ISP and not any setting on my Meraki.

 

There are only two things to note:

1) The host-name provided by my Meraki unit, pointed to the public IP. In my case the Public IP is not the same as the WAN1 IP of the Meraki.With the result that I had to specify the VPN Server address as the WAN1 IP and the host-name does not work.

2) I had to allow PAP, CHAP and MS-CHAP v2 on my PC before the connection would establish successfully.

Now the VPN connection works.

View solution in original post

38 REPLIES 38
ErnstTFD
Getting noticed

I also changed this encryption setting as I found the instruction on the Meraki help pages. This did not change anything. Connection still fails with the same error.

 

Screenshot 2022-09-22 125047.png

@ErnstTFD,

 

The first thing you should to check is the Windows Event Viewer, and find the error code.

 

https://documentation.meraki.com/MX/Client_VPN/Guided_Client_VPN_Troubleshooting#Common_Windows_erro....

 

Also check in Control Panel > Administrative Tools > Services if IKE and AuthIP IPsec keying modules is disabled.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

I checked the Windows Event log and it gives code 789. I followed all the steps in the troubleshooting guide for error 789.

1) Check pre-shared key, this I double checked it is 100% correct.

2) Firewall blocking traffic. I created rules to allow all traffic on ports 500 en 4500 in as well as out.

3) IKE and AuthIP service is running.

 

I still get the same error and the same code in the event log.

One question. Are you testing using the same internet link, or are you testing with another link? Like 4G.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

I just performed a test and It worked well. Have you checked If the has any update to be installed on Windows?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Running latest windows update now, will confirm.

We have 2 internet lines, I tested over the backup line. Then I also tested with my mobile hot-spot on my phone, ie. 4G. Same results.

It's look like a Windows issue, Is it possible to test It with another Windows machine (It can be a virtual machine)?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Just tried a second PC. Same error. 😭

Try to enable Chap and check If are you sharing your internet connection on your network adapter. If yes, disable It.

 

But It's very strange.

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Sorry, what is "Chap" and how do I enable it? Internet is not shared.

alemabrahao_0-1663857275126.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Chap enabled on both PC's with same results.

@ErnstTFD 

 

Is it possible to permit my user on VPN? If yes, send me a direct message. I think at the most of the time I had problems with VPN it was the Windows machine issue.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

For a quick test I can allow that. However it is time for me to go home now and I will only be back in the office tomorrow morning. Can we take this up again tomorrow? I will send a reply when I am back in the office tomorrow.

 

(Thank you very much for your assistance so far, it is very much appreciated).

Yes, sure. 🙂

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Hello, I'm back at the office. We can setup a test whenever you are ready.

Hi @ErnstTFD ,

 

Sorry about delay, I'm in a different time zone. We can perform a test now.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GreenMan
Meraki Employee
Meraki Employee

Did you follow the configuration guide?   In my experience, doing it just using Windows wizards etc. never works - you need to follow the step-by-step guide carefully for your version of OS:   https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview

Check out the Network-wide > Event log for details of what the MX is seeing too. 

You can, of course, also ask for assistance from Meraki Support.

I followed the configuration guide yes.

 

I also checked the event log, but nothing shows up here.

Johnfnadez
Building a reputation

Have you checked the events on the Meraki dashboard regarding Client VPN

 

Usually I have configured windows machines generating the power shell config with this script and avoid human errors:


https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

 

Regards!

 

Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA

Hi, I used this script tool to create a VPN Profile. The result is the same when I try to connect the VPN. Thanks for the advice though, the script tool is handy.

 

Question: If I run the script by clicking on it an select "Run script" it fails. I opened the script in ISE and tried to run it and got an error "Unable to remove existing instance(s) of TFD Meraki profile: Access denied"

I then re-opened ISE in administrator mode and then the script executed fine.

Is there a way to run the script as an administrator without opening ISE?

ErnstTFD
Getting noticed

Update! I have worked with my ISP to ensure that all traffic is forwarded to my Meraki. I've also added two rules to my Firewall (L3) to allow all traffic on ports 500 and 4500.

 

When I do a packet capture on the internet interface, I get a lot of traffic on port 4500 and some traffic on port 500.

 

However when I do a packet capture on the "Client VPN" interface, then no data is captured or recorded in the pcap file.

 

It seems that the connection request does not reach the Client VPN interface. Do you have any suggestions where I can look to check the traffic is allowed to reach the Clinet VPN?

 

Also I get a different error no that before: "The connection was terminated by the remote computer before it could be completed" When I look in the Windows event log I get error code: 628.

What version are you running? In my opinion, It is a bug or the issue is before MX.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Firmware
Up to date
Current version: MX 16.16
 
It says up to date.

I've tested the VPN client on all my clients running the same version, and it worked without any issues. That's why I believe it is something before the MX.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

My Meraki sits behind a Mikrotik Router that is managed by the ISP. Accoring to the, all incoming traffic to the Public IP is being forwarded to the Meraki. They sent me their Firewall rules to look at. I'm not an expert in Mikrotik friewalls but it seems in order to me.

 

This is what they have sent:

0    chain=srcnat action=masquerade src-address=!41.138.70.12/30 out-interface=Client_Details log=no log-prefix=""

 

1    chain=dstnat action=dst-nat to-addresses=192.168.0.91 protocol=tcp dst-address=41.76.33.18 dst-port=!8291,2000,8728 log=no log-prefix=""

 

2    chain=dstnat action=dst-nat to-addresses=192.168.0.91 protocol=udp dst-address=41.76.33.18 dst-port=!8291,2000,8728 log=no log-prefix=""

 

3    chain=dstnat action=dst-nat to-addresses=192.168.0.91 protocol=gre log=no log-prefix=""

 

4    chain=srcnat action=masquerade dst-address=192.168.0.91 log=no log-prefix=""

Are they using CG-Nat ?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Not sure, I will inquire and give you feedback when I get it.

Confirmend. The ISP is using CG-NAT.

I observed some people talking about the same issue when ISP uses CG-NAT, but I don't know If the issue was solved.

 

Is it possible to ask your ISP to create a port forwarding for these ports?

 

I will try to simulate It here.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

To confirm the ports that should be forwarded are 500 en 4500? Are there any other ports required?

You are correct. I tested here with port forwarding, but the connection was not established. I saw on logs that the connection was closed. 😕

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Yes, this seems to be our issue.

 

Do you think it will solve the issue if I ask the ISP to give me a public IP for the Meraki and move it out of the DMZ?

 

They have given me a /30 IP for another device which does work OK.

In all my customers I use Public IP without a CG-NAT, It has been working well. So I assume that the answer is yes. 🙂

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

OK, I will ask the ISP to create and Public IP for me and move the Meraki to the new address. Fingers crossed this solves the issue.

ErnstTFD
Getting noticed

The problem with this connection was with my ISP and not any setting on my Meraki.

 

There are only two things to note:

1) The host-name provided by my Meraki unit, pointed to the public IP. In my case the Public IP is not the same as the WAN1 IP of the Meraki.With the result that I had to specify the VPN Server address as the WAN1 IP and the host-name does not work.

2) I had to allow PAP, CHAP and MS-CHAP v2 on my PC before the connection would establish successfully.

Now the VPN connection works.

ANDRESJC
New here

Buenos días tengo el mismo problema no entiendo bien cómo solucionó el problema con su MERAKI. Gracias.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels