Windows 11 - Very Slow VPN Connection

ChristopherLDR
Getting noticed

Windows 11 - Very Slow VPN Connection

We upgrade some PCs to Windows 11 and noted the VPN Connection is significantly affected.  A speed test from google indicates acceptable speeds, however, when accessing the server it is not responsive (times out and can not download files) and One Drive no longer works (i.e. can't download files).  As soon as disconnecting from the VPN all issues are resolved, and as soon as the PC is reverted by to Windows 10 issues are resolved.

 

Any suggestions?

 

Also, currently running version (MX 15.42.1).

65 REPLIES 65
ww
Kind of a big deal
Kind of a big deal

You could try anyconnect on 16.x fw 

Try to figure out how we can download AnyConnect.  Any other suggestions with the built in windows VPN connect or similar?

Looking further into this, as we have a MX64W, AnyConnect is not available.

 

Any other suggestions?

GIdenJoe
Kind of a big deal
Kind of a big deal

By default when using the windows L2TP/IPsec VPN you are building a full tunnel.

Which means your traffic to the internet will be sent over the VPN to the MX and break out from there.

 

There are many reasons, like a lack of upload speed on the internet circuit on the MX that can cause delays.

Also when using full tunnel, the firewall rules and content filter rules also apply to your client!

 

So path 1: troubleshoot on the MX what rules need to be opened and check WAN link usage and limits.
Path 2: configure your client VPN in windows to use split tunnel and add the routes only to the internal subnets that need to be reachable.

Thank you will look into this.

 

Note, the system worked fine on Windows 10, issues only occurred after upgrading to those systems to Windows 11.

Also, should note it is both the upload and download system.

PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know the answer.

 

Try using my client VPN wizard to configure the VPN.

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html 

With Windows 10 it uses the VPNv2-CSP subsystem - which is not exposed to the user to be able to use and configure.

 

Perhaps Windows 11 will have a higher dependence on using VPNv2-CSP.

Philip - Thank you

 

I am trying to run the script in PowerShell, but for some reason, it is not creating a new VPN under the list of VPNs or a link on my desktop as the script indicates it would.  The PowerShell window just closes.

 

Figured out it is not able to get my SID, it indicates I am logged on over Remoted Desktop (""Unable to get user SID. User may be logged on over Remote Desktop").

 

Yes, the laptop is not on VPN and outside the server environment, but it is not remotely logged in or a virtual session.

 

Could it be a Windows 11 thing?

Do you have the rights to run powershell commands remotely or add VPN through GPO?

You could do it manually:

Add-VpnConnection cmdlet and be sure to add -SplitTunneling to it.

Another thread on this board has a guide on it to add conditional routes (check my response at 01-19-2021 04:41 PM)

https://community.meraki.com/t5/Security-SD-WAN/Win10-Split-Tunneling-and-Add-VPNConnectionRoute-Com...

GldenJoe - Was not able to get this to work.  Any suggestions you have would be great.

MeneerKrabs
Here to help

same problem here with windows 11 and meraki MX100 (14.53).

We are using spilt tunnels and routes to our LAN.

MeneerKrab - Did you ever resolve the issues, we rolled back the Windows 11 devices to Windows 10 for now.  Which is a shame.

 

We are not using split tunning, and never got the PowerShell approach to work.

Not yet, I'm the only one on 11. There is an new update, but I need to install it.

Let me know how that update goes.

No more slow connections over vpn with the new insider build. 

Running this version now:
Edition Windows 11 Business
Version 21H2
OS build 22000.120
Experience Windows Feature Experience Pack 1000.22000.120.0

 

Glad it worked for you.

 

I upgraded again to windows 11, this time 22000.120, but still the same issue.

 

I ended up returning back to Windows 10 again.

I have the solution!

 

Change the port your VPN uses.

I changed mine to:

Connection type: UDP

Port: 123

 

I tried several ports before I found one that work well with Windows 11

 

Good Luck!

Thank you, I will look into that.

 

Any suggestions on the best way to do that?  Is there a way of keeping the VPN the same and adding this as an additional option?

I also have the same issue with latency.  Anyone have a solution/workaround that seems to do the job?  I too am unsure where to make the port change.  client or appliance level? Thank you.

SamJoink
Conversationalist

I've been running into this issue for a couple of months. I reported it to Microsoft and tried basically every solution I could find – to no avail.

 

On the Meraki side, I am also running firmware MX 15.42.1. I

 

As for the PCs, I am running two identical laptops with identical network cards. One with Win10 Pro and one with Win11 Pro.

 

On the Windows 10 machine, VPN speeds are consistent and reliable.

 

On the Windows 11 machine, I have always had decent (not great, but workable) VPN download speeds (~10Mbps). But my VPN upload speeds were unworkable - less than .25Mbps that's if I could even hold an upload connection long enough to run a test. 

 

Up until today, that had been consistent since the day I installed Windows 11 (more than 2 months ago). I've been running Windows 11 Insider Preview 10.0.22000.100 since 8/4/2021.

 

Today, I downloaded 2021-08 Cumulative Update for Windows 11 for x64-based systems (KB5005191). Restarted.  Uninstalled/Reinstalled a few things (Device Manager -> Network Adapters -> WAN Miniport (IP), WAN Miniport (IPV6) and WAN Miniport (PPTP)). Restarted.

 

Now, I have a workable and mostly reliable ~10Mbps up and ~10Mbps down.

 

I had been fighting this for months as most of my usage involves a work VPN rendering my Win11 PC unusable. I'm pretty happy I can finally start using Windows 11 as my primary.

 

Hope this helps someone else.

SamJoink, Thank you for the reply.

 

I did as you suggested, but unfortunately, it did not resolve the issue.  Maybe future updates will resolve it.  

I tried to uninstall those things, but it didn't make a difference.  I wonder if I need to create a new VPN entry.

StaceH
Conversationalist

Not sure if relevant to others, I found my slow VPN resolved after starting to use the ethernet nic rather than WiFi.  

lvthunder
Conversationalist

Yes, I plugged my Surface Book 3 into a USB ethernet adapter it fixed the issue.  But I imagine most people who use a VPN would like to do it via Wifi.

StaceH
Conversationalist

Yea just figured it was worth pointing out that likely cause at this point is drivers and not OS.   

StaceH
Conversationalist

For the sake of identifying root cause I am running a Intel ® Wireless-AC 9560.  How about others?

lvthunder
Conversationalist

Mine says Intel WiFi-6 AX201 160MHz in device manager.  It's a Microsoft Surface Book 3 so it's up to Microsoft to keep the drivers up to date.

I updated the drivers from Intel's website since the ones Microsoft had installed were old, but the issue ramians.

My Wifi Card is AX1650 and my wired card is a Realtek USB adapter part of my dock.

So I found an interesting workaround, to increase the speed.  If I use Wireshark to capture the network cards it seems to cause the VPN connection speed to increase, it may have something to do with how windows handles l2tp connections.

 

Any thoughts?

Update to this, this is still working, but I must run Wireshark every time I restart my computer.

Running Wireshark works for me too. I dug into it a bit and it seems related to the "Npcap Packet Driver" (npcap) that Wireshark installs. You can view it by running msinfo32.exe, then Software Environment > System Drivers. Look for npcap. You can see info there but can't change its Running state. To do that you can use command line "net stop npcap" and "net start npcap".

 

I've found that if you run (and then immediately close) Wireshark to get the decent speeds, and then stop the npcap driver, it goes back down to the bad speed. But then simply restarting the driver doesn't help; you've got to restart Wireshark. Note that if you try to stop the driver with WS still running, it fails- WS must have a lock on it.

 

So, there's something more going on; probably WS is doing something else when it starts, either directly or there's some dependency involving npcap. I'll post again if I learn any more that might help.

 

 

This works for me as well on a surface Pro 7 0.5Mb download without wireshark and 250Mb with is running, no capture just open the program. Its got to be a driver issue.

Thanks for the tips! Wireshark is the only workaround that works for me. BTW, I was having the same issue with both wire and wireless connection.

did you all had wireshark installed?

I did and uninstalled it, also npcap, first day i can work without slow connections.

In my case, I only needed to install and run Wireshark once. And speed was back to normal even without running Wireshark. 

I am no longer needing it to run it every time, but not sure if that is being of the newest update.

As a follow up to my previous post, the solution I detailed above only worked reliably for about a day. The speed issue (primarily upload) returned and remained. I have kept my Windows 11 PC on my desk and intermittently tested the VPN connection (any time there was an update to an OS or network component). I have been running Windows 11 Pro 10.0.22483 Build 22483 for a couple of days. My Meraki VPN seems to be working as it should. At this point, i am not ready to say the issue is resolved. However, the speeds (both up and down) have been as reliable as I've experienced on WIN11 to date.

I have the same nic.

can't check if the problem is solved when using the ethernet card. Will do that i a while.

I have an issue on Wifi and also hard wired.  In the past I had issues with VPN over wifi in windows 10, but that was resolved with a windows update.

nlev
Here to help

Same issue here. Looks like users on reddit reporting the same https://www.reddit.com/r/Windows11/comments/patot6/vpn_and_slow_speeds/

smartin55
Conversationalist

Following up on this old thread.  Latest patch from Microsoft for Windows 11 in April 2023 has broken VPN again.  I'm using built in windows VPN client L2TP/Ipsec.  VPN will connect (slowly), internet works fine since I'm using local gateway.  File browsing to the remote network is completely unstable and not usable.  Running wireshark as mentioned in previous posts completely fixes the issue.  Searched the internet for quite some time before stumbling on this post.  The wireshark workaround is incredibly randon, But I was pleasantly surprised when I tried it as a last ditch effort and it worked.  Only need to open wireshark once after bootup, then VPN connection works perfectly.  Windows 10 not affected with this bug, only windows 11.  Seems to be localized to PC's with only Intel Wifi or Ethernet cards.  Other brand cards don't seem affected.  Running windows 11 v22H2, build 22621.1635.

Just jumped to a new PC with win 11 and started to have issues with VPN. Glad to find this thread and little trick with Wireshark 🙂

Weird that I have fully patched win11 PC where I have this issue and fully patched win11 laptop whereall is fine...

Curios.  What are brands of the network cards in each computer.  The ones that I had issues with were all intel. My two most recent problem PCs were Lenovo desktop PCs with intel NICs.

I have problems on Desktop PC on both wifi and eth card (Intel Wi-Fi 6E AX210 160MHz and Realtek Gaming 2.5GbE Family Controller). No issues on Lenovo laptop with some pretty old 2,4 only intel card.

Last week I had one user with this problem. I replaced his laptop. Today, another user. I started to search the internet and I found this discussion. I tested the Wireshark trick and it actually works! That's just unbelievable!

 

It should be Security Update for Microsoft windows kb5026372 causing the issue. Uninstalling the patch will fix it.

The issue was fixed after i uninstalled 2 patches kb5022497 & kb5026372

kb5022497 is an update for .net while the other is a security update. The previous update that broke the meraki vpn (KB5009543) was a security update so the issue was likely kb5026372
mollyg
Comes here often

I can't even believe this works... I have been dealing with this issue FOR MONTHS.  Everything was fine when I first upgraded with windows 11 but literally the day after the "turn it back to 10" trial ran out, my VPN connection hosed.  I finally just bought a new laptop because I couldn't figure it out... same problem on the new laptop.  Finally found this post and boom... wireshark for the win. 

RocketCityGuy
Comes here often

Extremely slow internet after VPN connections. It renders applications unusable. We tried uninstalling kb5022497 & kb5026372 but it did not help. Windows automatically installed these soon after uninstalling. Any help will be appreciated.

There's a PowerShell script on here that uninstalls the update then sets the update as hidden, there's also an interesting work around of keeping the update installed but installing Wireshark and that stops the issue occuring 

 

https://www.reddit.com/r/Windows11/comments/13czkrv/comment/jjpvdxu/?utm_source=share&utm_medium=mwe...

RocketCityGuy
Comes here often

Thank you for the feedback. This is what I did.

 

  1. Checked updates and the computer was up to date. Measured speed with fast.com and got speed of about 50Mbps. Run Wireshark. VPN connected. Measured speed and  I got 360Kbps (with K!). This did not work.
  2. Paused updated on window update. Uninstalled KB5026372. Speed was about 50 Mbps again. VPN connected. Measured speed I got 570Kbps. No luck

I am running Windows 11 Pro and connecting with Windows to Meraki MX64.

 

Any ideas?

If I'm honest I hadn't had chance to try what was suggested in the link I put up, had planned to try it in the next few days. 

I assume after uninstalling the update you had rebooted the device. And it was showing as not installed after the reboot?

 

Correct. Rebooted the system and checked that the update was gone. We tried the uninstall in 3 different systems with no luck.

Try this:  disconnect from VPN.  Run wire shark if all windows updates are installed. You can now close wireshark.  go to network properties, then adapter settings.  Right click-properties on the VPN adapter.  Uncheck ipv6, then Click on IPv4 and click properties.  Then click advanced button in that screen.  Uncheck the box that says “use remote gateway”.  Click ok to save the screen.  The will let internet traffic pass through your local gateway instead of passing it all through the VPN.  Connect to the VPN and do another speed test.  Wire shark still required if your windows updates are current to make VPN connection stable.  Hopefull this fixes the internet speed issue.

Thank you smartin55. This seems to solve the internet speed issue. Unfortunately, it looks that Remote Desktop Connection does not work. 

After you enable split tunneling, you'll need routes to your local subnets.
Try something like this in powershell:

Add-VpnConnectionRoute -ConnectionName "your-vpn-connection-name" -DestinationPrefix "whatever-local-subnet-you-use"
RocketCityGuy
Comes here often

Thanks everyone. It turned out that our main issue was an upstream provider problem with the ISP in the destination network. In our context the only application that needs to go through VPN is RDP.  The suggested split tunnel solution is very helpful to keep all other traffic local. This helps because of the expected VPN speed degradation. 

Fragobar
Conversationalist

Hello All,

 

Enabling "Routing and Remote Access service" on each laptop fixed the problem for me.

I moved from 310Kb/s to 50Mb/s just by activating the service.


Other solution which look to work:
- Installing WireShark

- Installing Cisco AnyConnect (without using it)

 

No time to try but i suspect those software to activate other Windows 11 services such as "Routing and Remote Access service"

We noticed that the issue was resolved in a patch from the end of July btw. 

7/5/23 
Issue persists in the latest windows updates which replace the previous patches. 
Win11 KB5027303 which replaces KB5027231
Win10 KB5027293 which replaces KB5027215
 
7/13 
Issue persists in the following patches
Win11 Kb5028185 which replaces KB5027231
Win10 KB5028166 which replaces KB5027293
 
7/28
The issue is fixed in the latest patches
Win11 KB5028254 which replaces KB5028185
Win10 KB5028244 which replaces KB5028166
 
Note that if you want to fix this by updating windows, just keep updating windows and restarting until you no longer see updates available. You likely won't see the exact KB numbers that fix the issue because they will have been replaced by newer updates. You can look at microsofts update catalog if you want to see exactly which patch is likely to provide the fix. (ex: KB5029244 replaces KB5028244)   https://www.catalog.update.microsoft.com/

This KB5028254 does not apply to my OS. (same for KB5028185)

I'm running Win 11 Pro with up to date patchs (22621.2134) and I still have this issue.

Starting "Routing and Remote Access service" fixes my problem immediately.

 

FWI: My MX85 is behind a NAT where i have to do some PAT to match ports 500 and 4500 between my ISP router and my Meraki FW

 

I worked with Meraki support today and they suggested enabling the "Routing and Remote Access service".

It immediately fixes the problem for any affected PC!

 

Installing Wireshark and leaving it open in the background also works, but my team suspects that is because is it puts the NIC in promiscuous mode, which is inherently insecure to leave on all the time. As far as I can tell, there is no security risk in enabling the "Routing and Remote Access service". (Don't forget to set the Startup Type to automatic!)

Thank you. This worked immediately for me as well.

 

For other amateurs like myself: Open up the Services app, scroll down the list to "Routing and Remote Access" (which is likely Disabled), right click to open properties, change the startup type (manual or auto) and hit Apply, then hit the Start button that should have become available. Done.

Sunny21DC
Here to help

I can tell you what worked for me, what i did was this  flushed DNS settings.

wadavison
Conversationalist

I know I'm late to the party here but just thought I'd give my two cents.

 

Today I was able to set up AnyConnect on my Windows 11 computer and VPN to multiple MX64W's. Have had the slow VPN issue previously when using WiFi, but doesn't occur on ethernet. Wireshark worked and Remote services worked but only temporary solutions. 

 

So in summary - if you are using the Windows native VPN and having trouble, try setting up AnyConnect (Cisco Secure Client) and see if it works. I didn't have to purchase any additional AnyConnect licenses or hardware. It was all good to go basically.

 

 

You do need to purchase AnyConnect licences - they just aren't enforced.  🙂

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels