We upgrade some PCs to Windows 11 and noted the VPN Connection is significantly affected. A speed test from google indicates acceptable speeds, however, when accessing the server it is not responsive (times out and can not download files) and One Drive no longer works (i.e. can't download files). As soon as disconnecting from the VPN all issues are resolved, and as soon as the PC is reverted by to Windows 10 issues are resolved.
Also, currently running version (MX 15.42.1).
By default when using the windows L2TP/IPsec VPN you are building a full tunnel.
Which means your traffic to the internet will be sent over the VPN to the MX and break out from there.
There are many reasons, like a lack of upload speed on the internet circuit on the MX that can cause delays.
Also when using full tunnel, the firewall rules and content filter rules also apply to your client!
So path 1: troubleshoot on the MX what rules need to be opened and check WAN link usage and limits.
Path 2: configure your client VPN in windows to use split tunnel and add the routes only to the internal subnets that need to be reachable.
Thank you will look into this.
Note, the system worked fine on Windows 10, issues only occurred after upgrading to those systems to Windows 11.
I don't know the answer.
Try using my client VPN wizard to configure the VPN.
With Windows 10 it uses the VPNv2-CSP subsystem - which is not exposed to the user to be able to use and configure.
Perhaps Windows 11 will have a higher dependence on using VPNv2-CSP.
Philip - Thank you
I am trying to run the script in PowerShell, but for some reason, it is not creating a new VPN under the list of VPNs or a link on my desktop as the script indicates it would. The PowerShell window just closes.
Figured out it is not able to get my SID, it indicates I am logged on over Remoted Desktop (""Unable to get user SID. User may be logged on over Remote Desktop").
Yes, the laptop is not on VPN and outside the server environment, but it is not remotely logged in or a virtual session.
Could it be a Windows 11 thing?
Do you have the rights to run powershell commands remotely or add VPN through GPO?
You could do it manually:
Add-VpnConnection cmdlet and be sure to add -SplitTunneling to it.
Another thread on this board has a guide on it to add conditional routes (check my response at 01-19-2021 04:41 PM)
MeneerKrab - Did you ever resolve the issues, we rolled back the Windows 11 devices to Windows 10 for now. Which is a shame.
We are not using split tunning, and never got the PowerShell approach to work.
No more slow connections over vpn with the new insider build.
Glad it worked for you.
I upgraded again to windows 11, this time 22000.120, but still the same issue.
I ended up returning back to Windows 10 again.
I have the solution!
Change the port your VPN uses.
I changed mine to:
Connection type: UDP
I tried several ports before I found one that work well with Windows 11
Thank you, I will look into that.
Any suggestions on the best way to do that? Is there a way of keeping the VPN the same and adding this as an additional option?
I also have the same issue with latency. Anyone have a solution/workaround that seems to do the job? I too am unsure where to make the port change. client or appliance level? Thank you.
I've been running into this issue for a couple of months. I reported it to Microsoft and tried basically every solution I could find – to no avail.
On the Meraki side, I am also running firmware MX 15.42.1. I
As for the PCs, I am running two identical laptops with identical network cards. One with Win10 Pro and one with Win11 Pro.
On the Windows 10 machine, VPN speeds are consistent and reliable.
On the Windows 11 machine, I have always had decent (not great, but workable) VPN download speeds (~10Mbps). But my VPN upload speeds were unworkable - less than .25Mbps that's if I could even hold an upload connection long enough to run a test.
Up until today, that had been consistent since the day I installed Windows 11 (more than 2 months ago). I've been running Windows 11 Insider Preview 10.0.22000.100 since 8/4/2021.
Today, I downloaded 2021-08 Cumulative Update for Windows 11 for x64-based systems (KB5005191). Restarted. Uninstalled/Reinstalled a few things (Device Manager -> Network Adapters -> WAN Miniport (IP), WAN Miniport (IPV6) and WAN Miniport (PPTP)). Restarted.
Now, I have a workable and mostly reliable ~10Mbps up and ~10Mbps down.
I had been fighting this for months as most of my usage involves a work VPN rendering my Win11 PC unusable. I'm pretty happy I can finally start using Windows 11 as my primary.
Hope this helps someone else.
SamJoink, Thank you for the reply.
I did as you suggested, but unfortunately, it did not resolve the issue. Maybe future updates will resolve it.
Yes, I plugged my Surface Book 3 into a USB ethernet adapter it fixed the issue. But I imagine most people who use a VPN would like to do it via Wifi.
Mine says Intel WiFi-6 AX201 160MHz in device manager. It's a Microsoft Surface Book 3 so it's up to Microsoft to keep the drivers up to date.
So I found an interesting workaround, to increase the speed. If I use Wireshark to capture the network cards it seems to cause the VPN connection speed to increase, it may have something to do with how windows handles l2tp connections.
Running Wireshark works for me too. I dug into it a bit and it seems related to the "Npcap Packet Driver" (npcap) that Wireshark installs. You can view it by running msinfo32.exe, then Software Environment > System Drivers. Look for npcap. You can see info there but can't change its Running state. To do that you can use command line "net stop npcap" and "net start npcap".
I've found that if you run (and then immediately close) Wireshark to get the decent speeds, and then stop the npcap driver, it goes back down to the bad speed. But then simply restarting the driver doesn't help; you've got to restart Wireshark. Note that if you try to stop the driver with WS still running, it fails- WS must have a lock on it.
So, there's something more going on; probably WS is doing something else when it starts, either directly or there's some dependency involving npcap. I'll post again if I learn any more that might help.
This works for me as well on a surface Pro 7 0.5Mb download without wireshark and 250Mb with is running, no capture just open the program. Its got to be a driver issue.
Thanks for the tips! Wireshark is the only workaround that works for me. BTW, I was having the same issue with both wire and wireless connection.
As a follow up to my previous post, the solution I detailed above only worked reliably for about a day. The speed issue (primarily upload) returned and remained. I have kept my Windows 11 PC on my desk and intermittently tested the VPN connection (any time there was an update to an OS or network component). I have been running Windows 11 Pro 10.0.22483 Build 22483 for a couple of days. My Meraki VPN seems to be working as it should. At this point, i am not ready to say the issue is resolved. However, the speeds (both up and down) have been as reliable as I've experienced on WIN11 to date.
I have an issue on Wifi and also hard wired. In the past I had issues with VPN over wifi in windows 10, but that was resolved with a windows update.
Following up on this old thread. Latest patch from Microsoft for Windows 11 in April 2023 has broken VPN again. I'm using built in windows VPN client L2TP/Ipsec. VPN will connect (slowly), internet works fine since I'm using local gateway. File browsing to the remote network is completely unstable and not usable. Running wireshark as mentioned in previous posts completely fixes the issue. Searched the internet for quite some time before stumbling on this post. The wireshark workaround is incredibly randon, But I was pleasantly surprised when I tried it as a last ditch effort and it worked. Only need to open wireshark once after bootup, then VPN connection works perfectly. Windows 10 not affected with this bug, only windows 11. Seems to be localized to PC's with only Intel Wifi or Ethernet cards. Other brand cards don't seem affected. Running windows 11 v22H2, build 22621.1635.
Just jumped to a new PC with win 11 and started to have issues with VPN. Glad to find this thread and little trick with Wireshark 🙂
Weird that I have fully patched win11 PC where I have this issue and fully patched win11 laptop whereall is fine...
Curios. What are brands of the network cards in each computer. The ones that I had issues with were all intel. My two most recent problem PCs were Lenovo desktop PCs with intel NICs.
I have problems on Desktop PC on both wifi and eth card (Intel Wi-Fi 6E AX210 160MHz and Realtek Gaming 2.5GbE Family Controller). No issues on Lenovo laptop with some pretty old 2,4 only intel card.
Last week I had one user with this problem. I replaced his laptop. Today, another user. I started to search the internet and I found this discussion. I tested the Wireshark trick and it actually works! That's just unbelievable!
I can't even believe this works... I have been dealing with this issue FOR MONTHS. Everything was fine when I first upgraded with windows 11 but literally the day after the "turn it back to 10" trial ran out, my VPN connection hosed. I finally just bought a new laptop because I couldn't figure it out... same problem on the new laptop. Finally found this post and boom... wireshark for the win.
Extremely slow internet after VPN connections. It renders applications unusable. We tried uninstalling kb5022497 & kb5026372 but it did not help. Windows automatically installed these soon after uninstalling. Any help will be appreciated.
There's a PowerShell script on here that uninstalls the update then sets the update as hidden, there's also an interesting work around of keeping the update installed but installing Wireshark and that stops the issue occuring
Thank you for the feedback. This is what I did.
I am running Windows 11 Pro and connecting with Windows to Meraki MX64.
If I'm honest I hadn't had chance to try what was suggested in the link I put up, had planned to try it in the next few days.
I assume after uninstalling the update you had rebooted the device. And it was showing as not installed after the reboot?
Correct. Rebooted the system and checked that the update was gone. We tried the uninstall in 3 different systems with no luck.
Try this: disconnect from VPN. Run wire shark if all windows updates are installed. You can now close wireshark. go to network properties, then adapter settings. Right click-properties on the VPN adapter. Uncheck ipv6, then Click on IPv4 and click properties. Then click advanced button in that screen. Uncheck the box that says “use remote gateway”. Click ok to save the screen. The will let internet traffic pass through your local gateway instead of passing it all through the VPN. Connect to the VPN and do another speed test. Wire shark still required if your windows updates are current to make VPN connection stable. Hopefull this fixes the internet speed issue.
Thank you smartin55. This seems to solve the internet speed issue. Unfortunately, it looks that Remote Desktop Connection does not work.
After you enable split tunneling, you'll need routes to your local subnets.
Try something like this in powershell:
Thanks everyone. It turned out that our main issue was an upstream provider problem with the ISP in the destination network. In our context the only application that needs to go through VPN is RDP. The suggested split tunnel solution is very helpful to keep all other traffic local. This helps because of the expected VPN speed degradation.
Enabling "Routing and Remote Access service" on each laptop fixed the problem for me.
I moved from 310Kb/s to 50Mb/s just by activating the service.
Other solution which look to work:
- Installing WireShark
- Installing Cisco AnyConnect (without using it)
No time to try but i suspect those software to activate other Windows 11 services such as "Routing and Remote Access service"
We noticed that the issue was resolved in a patch from the end of July btw.
This KB5028254 does not apply to my OS. (same for KB5028185)
I'm running Win 11 Pro with up to date patchs (22621.2134) and I still have this issue.
Starting "Routing and Remote Access service" fixes my problem immediately.
FWI: My MX85 is behind a NAT where i have to do some PAT to match ports 500 and 4500 between my ISP router and my Meraki FW
I worked with Meraki support today and they suggested enabling the "Routing and Remote Access service".
It immediately fixes the problem for any affected PC!
Installing Wireshark and leaving it open in the background also works, but my team suspects that is because is it puts the NIC in promiscuous mode, which is inherently insecure to leave on all the time. As far as I can tell, there is no security risk in enabling the "Routing and Remote Access service". (Don't forget to set the Startup Type to automatic!)
Thank you. This worked immediately for me as well.
For other amateurs like myself: Open up the Services app, scroll down the list to "Routing and Remote Access" (which is likely Disabled), right click to open properties, change the startup type (manual or auto) and hit Apply, then hit the Start button that should have become available. Done.