Meraki

thatguy · ‎Dec 19 2018

Hello,

I have been having an issue with VPN connections on some windows 10 Machines, this does not happen on windows 7 and while not all Windows 10 Machines are affected it seems this is the only common factor.

The issue is as follows:

VPN is setup initially either from "Settings" or "Control Panel".

User credentials and VPN settings are entered in the Settings menu

After then going to control panel and changing the protocol to "PAP", the user authentication changes to "General Authentication" which would remove their credentials.

If you setup the PAP protocol first via. control panel, then enter the user credentials under the "Settings" menu, the PAP option (Use following Protocol) will be unselected. I have set up VPN connections multiple time within Windows 10, but have need seen anything like this. Any and all help would be appreciated.

Meraki-PM-Team · ‎Apr 2 2020

Hi all.

We hope you are all staying safe during these difficult times. One of the results of the current global situation is a large increase in remote work — and a large increase of traffic to this community thread.

Since this thread is a bit old / specific, we wanted to interject here to provide quick links to the most up-to-date information about Meraki VPN. For an overview of our VPN offering, please see our official documentation here. Also, for the latest updates live from the team, please visit this community thread.

Stay safe and be well.

- The Meraki Team

MOD NOTE: This reply has been marked as the "solution" to this thread for greater visibility, NOT to imply that the original poster's issue has been resolved.

View solution in original post

MerakiCrazy31 · ‎Dec 20 2018

Hi There,

We've also experienced this and its starting to get a bit of a pain. What we have done as a workaround is extract the PBK file from the APPData folder and stick this on the desktop. It seems to be something to do with the Windows 10 Metro.

The location is:

%userprofile%\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk

This works a charm

Veldleeu · ‎Sep 11 2019

@MerakiCrazy31
Thank you. This solved the issue I have with the user PCs.

Great to have members like you.

MerakiCrazy31 · ‎Sep 11 2019

No problem - Happy to help!

Veldleeu · ‎Sep 11 2019

@MerakiCrazy31

However; the customer has two Microsoft Surface Pro devices and the RAS Phone Book,
"%userprofile%\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk" workaround does work on it.

Even the Powershell script command, complains about a [-SplitTunneling] value.

Any ideas to resolve this, to get Windows 10 to hold the settings.

When configuring the VPN account and adapter I noticed that the “User name & Password” option changes to “General authentication method”. Where the adapter “Security” drops “Allow these protocols” then account is changed to “User name & Password”. Please see below.

Veldleeu · ‎Sep 11 2019

RAS Phone Book, the workaround does not work on it.

Nash · ‎Sep 11 2019

Okay, so you're having the authentication method change? Or is something else changing too?

Regarding changing authentication methods, tell your users to never save their user name/password. That will muck up the settings.

If Win10, create them a rasphone shortcut and have them use that to log in. That can also help. Win10 appears to have an overlay between its Win10-pretty VPN interface and rasphone, and sometimes that overlay will mess up.

If you want a better script, try this thing I wrote. Read the comments first and modify to suit your needs. Default version installs an AllUserConnection with a split tunnel. You have to populate variables for the split tunnel if you're using AddMerakiVPN.ps1

Windows 10 Client VPN scripts: Makes life better!

Veldleeu · ‎Sep 11 2019

Thanks @Nash, I shall follow your instructions and let you know once I have results. I need to arrange an appointment with the customer to try it out.

4HzDiuWq · ‎Nov 16 2020

This is an exact description of the problem I'm having with one user on Windows 10 that started last night 11/16/2020. It seems (obviously) the problem is on the Windows side. The user stated she did a Windows update last night. I have about 200 working users on various OSs working fine: Mac, Windows 7, Windows 10, Chrome OS.

We have 2 VPN endpoints. This user used the old style rasphone.pbk vpn to connect and both endpoints stopped working after the update. I recreated both endpoints in the Windows 10 GUI and one started working but the second gets the same error you are getting.

I am investigating now and will update you if I find anything.

PCNPS-Froom · ‎Jun 8 2020

Just wanted to give an update on what i have done to get it to work consistently without changing the settings back. I used the info provided by @MerakiCrazy31 but instead of copying it to the desktop i renamed the original folder to old. After that I recreated a new PBK folder and a new subfolder named _hiddenPbk but left them empty other than the names of the folders. After this I used a cmd as admin and ran the command netsh winsock reset and restarted the computer. After this I have been able to connect and disconnect from my vpn consistently without it changing any settings whatsoever. Hope this helps someone else.

Nash · ‎Dec 26 2018

I picked this up on this forum somewhere. Best thing I've found is to create the saved VPN entry using Powershell:

Add-VpnConnection -Name $ConnectionName -ServerAddress $ServerAddress -AllUserConnection -TunnelType L2tp -L2tpPsk $PresharedKey -AuthenticationMethod Pap -EncryptionLevel Optional -Force

Run this in powershell as administrator and it will add the entry to all users on that device. Replace the $variables as appropriate. Windows 10 doesn't support required encryption for PAP - you can see for yourself if you change this to "-EncryptionLevel Required'.

Tell your users to enter the user name and password each time. Do not set it to remember.

We prefer to setup clients with RADIUS authentication with NPS, so having them manually enter the password saves my help desk grief. If the credential is saved, we get a ton of "my VPN doesn't work" tickets because the end user's changed their Windows password.

Windows 10 Client VPN scripts: Makes life better!

EP1 · ‎Jan 11 2019

We've had a similar experience with the settings changing.

For more than 3 months, we've been using a pair of Meraki MX65's integrated with Active Directory for VPN access.
During this time many users have experienced an odd behavior.
The VPN stops connecting, with the connection dialog hung.
On another machine I'll verify that VPN is working.
When we review the Windows VPN client settings we find that the security setting on the VPN network adapter have changed back to the default settings.
Numerous users have had this experience (including myself) and they all say they've not been in the adapter settings, or changed the settings.

Sometimes we can get it working by setting the VPN network adapter security settings back to Meraki recommended.
Often it works better to delete and recreate the whole VPN client connection, both the VPN settings and the network adapter.

I'll give these work arounds a try.

kkwok · ‎Mar 5 2019

I went live today and i had little success on my windows 10. I was informed it is pretty painless in reality, it was most painful. Anyone has a permanet solution to this Windows 10 issue?

MerakiCrazy31 · ‎Mar 13 2019

Hi,

I’ve heard from suppliers that there soon might be support for the Cisco AnyConnect VPN client with Meraki.

However, due to this issue we’ve been forced to use the Draytek client. Which has been working without fail for lots of our users.

cottonakin · ‎Mar 21 2019

Could you send me the profile settings you use with the Draytek client. I am having the same issue with Windows 10 and, for the first time, Meraki support is absolutely NO help.

MerakiCrazy31 · ‎Mar 21 2019

The above is all we configure on the Draytek.

cottonakin · ‎Mar 21 2019

I have those same settings and when I try to connect, it tries for about 60 seconds and then displays "Unknown Error".

BluJ · ‎Sep 11 2019

This also happened to me, I would setup the VPN and it would work one time but once you disconnect it would not connect again. If I went back into the Windows settings it changed "Username and Password" to "Generic Authentication Method" which is incorrect and turned PAP off. The solution that worked for me is:

Wipe out the VPN and re-create it from scratch configured correctly but don't actually connect when done.

In Windows there is a tool called rasphone which is an older way to do VPN connections (can be found by searching in the start menu, or going to C:\Windows\system32)

When you start the app it pulls any existing VPN connections and after typing in my username and password after clicking connect it not only worked but will not change settings. I created a shortcut to rasphone on the users desktop and just named it VPN, hope this can help someone.

CGIbs · ‎Mar 24 2020

Does any one see a resolution for this problem? I have searched and attempted all the proposed fixes with no resolution. The settings will just not stay. Can someone recommend a good alternative. I can't go back to my management with a wish and a prayer.

Nash · ‎Mar 24 2020

@CGIbs Are your end users telling it to save credentials?

Windows 10 Client VPN scripts: Makes life better!

CGIbs · ‎Mar 24 2020

@Nash

Not saving Credentials
Recreate Config from Scratch
Made Powershell script to force settings - can't force encryption
Made numerous Rasphone shortcuts - same result
Tried Draytek VPN Client - wont connect

All roads lead to error 789

cottonakin · ‎Mar 24 2020

When unchecking the "Save" doesn't work, deleting and re-creating from scratch seems to make it more stable but not perfect.

I have created a step-by-step guide that I send to my users and tell them that if it stops working check the steps in the guide and make sure that they haven't been changed.

thatguy · ‎Mar 24 2020

Here's an update as I have not had to mess with this since I posted. I ended up just making them enter their username and password every time. It's more secure that way, but they gripe. Anyway I had to set this up again with everyone suddenly needing to work from home. Apparently Microsoft has made some improvements under the hood. Their built in client works much better now with V1909. The settings stick. I still choose to have them enter their user name and pw every time, but should choose you to remember it, it works without resetting the vpn connection settings.

Meraki-PM-Team · ‎Apr 2 2020

Hi all.

We hope you are all staying safe during these difficult times. One of the results of the current global situation is a large increase in remote work — and a large increase of traffic to this community thread.

Since this thread is a bit old / specific, we wanted to interject here to provide quick links to the most up-to-date information about Meraki VPN. For an overview of our VPN offering, please see our official documentation here. Also, for the latest updates live from the team, please visit this community thread.

Stay safe and be well.

- The Meraki Team

MOD NOTE: This reply has been marked as the "solution" to this thread for greater visibility, NOT to imply that the original poster's issue has been resolved.

TeeDee · ‎Apr 11 2020

Has Meraki addressed this issue with Microsoft? It seems to me that if Meraki's only option is to use the Microsoft client, Meraki would reach out for a solution. This is not a new issue, but given these times with more people using VPN, one would think that this would be escalated.

submission on September 11, 2019 exactly describes the problem. Please advise ASAP. Thanks

cmr · ‎Apr 11 2020

They are working on making the Cisco AnyConnect client compatible with the MX client VPN. There is a closed beta at the moment and they are working on features like split tunnelling etc. I don't know when it will become an open beta or GA product.

Perrin · ‎Dec 8 2020

This describes perfectly an issue I have observed when helping some Windows 10 users set up their Meraki VPN connections over the past week. This is a critical problem preventing some users from accessing our server. Has anyone found a fix for this?

4HzDiuWq · ‎Dec 8 2020

I have the same issue and observed the following 2 things have helped. Sorry, but I don't have a step by step reliable fix for you since it seems to be hit or miss 😞

1) Set up the VPN using Windows 10 UI but don't connect or save auth info. Launch C:\Users\FiveStars.User\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk and connect and save the auth info. Disconnect from Rasphone. Reconnect using Win 10 UI

2) I collected a laptop that had the issue so I could troubleshoot it. The problem fixed itself before I could troubleshoot. It is possible the problem is linked to one or both the 2 following Windows updates which are the only 2 that occurred within the proper timeline. However, neither update appears to be targeting VPN according to Microsoft: KB4023057, KB2267602

4HzDiuWq · ‎Dec 12 2020

Another user experienced this. I Changed his Windows 10 VPN auth settings from "General Authentication" back to "Username and Password". I cleared the username and password and saved it. I then Launched rasphone.pbk and let the user type in auth info from there. After that both rasphone.pbk and the built in Windows 10 VPN UI work.

WalterRobbs · ‎Apr 14 2020

Here is the Powershell that I am using and it works fine. Even when you save credentials.

$ServerAddress = "Outside IP Address or DNS Name for the Meraki"
$ConnectionName = "Name of the Connection"
$PresharedKey = "Pre-Shared Key"

$DNSSuffix = "corp.walterrobbs.com"
$Destination = "Destination Subnet for Split-Tunneling"

Add-VpnConnection -Name "$ConnectionName" -ServerAddress "$ServerAddress" -TunnelType L2tp -L2tpPsk "$PresharedKey" -AuthenticationMethod Pap, CHAP, MSChapv2 -DnsSuffix $DNSSuffix -RememberCredential -Force

Start-Sleep -m 100

Set-VpnConnection -Name $ConnectionName -SplitTunneling $True

Start-Sleep -m 100

Add-Vpnconnectionroute -Connectionname $ConnectionName -DestinationPrefix $Destination

IT_Tropolis · ‎Jul 2 2021

This issue is back. I've seen it in (3) different Windows 10 Build 19042 devices in the last two days. Is Cisco putting pressure on Microsoft to fix it???

Comstasis · ‎Sep 13 2021

I was giving up hope of seeing a fix from either Microsoft or Meraki on this any time soon. If anything it is getting worse. I was connected to a client site earlier, and upon trying to reconnect I can see in the logs it is trying to use MSCHAP instead of PAP again. What!?

Today, started a support call to see if there is any better fix, and I've been listening to hold music for well over an hour. Could the lack of a working VPN client be contributing to the super-long hold times we've all been experiencing lately?

EDIT: Finally got through to support, and v16 of the MX firmware supports the Anyconnect client. That firmware is still BETA, and who knows when it will be out of beta, but that should actually resolve the issue. Supposedly some of the MX being shipped already have v16, so it should be close...

cmr · ‎Sep 13 2021

@Comstasis we are using v16 on most of our MXs and it is perfectly stable in our experience. We do still have a few devices on v15 that we haven't upgraded yet and one on v17 and they are all also stable. I personally haven't used the AnyConnect client on Meraki v16 but it seems better than the previous client options already if you look at the community posts...

Comstasis · ‎Sep 13 2021

Thanks for the feedback. This should be a workable solution, soon if not immediately, for anyone not on a MX64/65. Shame that's the cut-off though, when those are the most popular models...

cmr · ‎Sep 13 2021

@Comstasis the MX65 has been EoS for some time now so that's to be expected, but there is still some hope that the MX64 will get included as it even survived the latest range realignment.

Meraki

Community

Windows 10 built in VPN Client will not hold settings

Windows 10 built in VPN Client will not hold settings