macOS VPN clients no longer connecting

bhad0124627
New here

macOS VPN clients no longer connecting

MX67C running 14.39

 

Starting last week, only macOS clients cannot connect. They are running anywhere from 10.14.3-10.14.6. iOS are all ok. win7 and win10 are all ok.

 

from ppp.log:

Tue Aug 6 08:50:28 2019 : publish_entry SCDSet() failed: Success!

Tue Aug 6 08:50:28 2019 : publish_entry SCDSet() failed: Success!

Tue Aug 6 08:50:28 2019 : l2tp_get_router_address

Tue Aug 6 08:50:28 2019 : l2tp_get_router_address 172.20.10.1from dict 1

Tue Aug 6 08:50:28 2019 : L2TP connecting to server 'x.x.x.x' (x.x.x.x)...

Tue Aug 6 08:50:28 2019 : IPSec connection started

Tue Aug 6 08:50:28 2019 : IPSec phase 1 client started

Tue Aug 6 08:50:28 2019 : IPSec phase 1 server replied

Tue Aug 6 08:50:29 2019 : IPSec phase 2 started

Tue Aug 6 08:51:00 2019 : IPSec connection failed

Tue Aug 6 09:01:27 2019 : publish_entry SCDSet() failed: Success!

Tue Aug 6 09:01:27 2019 : publish_entry SCDSet() failed: Success!

Tue Aug 6 09:01:27 2019 : l2tp_get_router_address

Tue Aug 6 09:01:27 2019 : l2tp_get_router_address x.x.x.x from dict 1

Tue Aug 6 09:01:27 2019 : L2TP connecting to server 'x.x.x.x' (x.x.x.x)...

Tue Aug 6 09:01:27 2019 : IPSec connection started

Tue Aug 6 09:01:28 2019 : IPSec phase 1 client started

Tue Aug 6 09:01:38 2019 : IPSec connection failed

 

From meraki logs: 

Screen Shot 2019-08-06 at 9.08.55 AM.png

16 REPLIES 16
SoCalRacer
Kind of a big deal

I have current macOS devices using the VPN without issue. Might try a reconfig of the VPN profile on a laptop for testing. Also was there any recent firmware upgrade to the MX? You might want to check the change log to see what might have been done that could be contributing to the problem.

 

Using a MX64 on 14.39

Thanks for the reply. 

 

The issue started before the latest firmware update. We (finally) got on 14.39 and the issue remains. 

 

I've reconfigured the VPN profile on several machines for testing with no success. 

 

I have seen some discussion about changing the shared secret but with the number of users we have I don't know which would be more of a headache. 

One issue we had with macOS was when used on a home connection where alot of times the subnet was 192.168.1.0/24 macOS was not sending the correct packets to the vpn/lan subnet of the MX which was 192.168.1.0/24. So end result was change the LAN on the MX and the VPN subnet to be different than your standard home configs where you might right into issues, which is actually best practice anyways, so just thought I would mention.

Nash
Kind of a big deal

If the connection established itself, I'd look for overlapping subnets. I've had Macs happily connect in the past even when both were on 192.168.0.0/24 or 192.168.1.0/24. 

 

But it sounds like the connection doesn't connect at all? If I'm reading the logs right, p1 will connect but then p2 fails. 

 

Does that sound right, @bhad0124627 ?

That's correct. The connection never completes. 

 

We worked through the subnet issues when we first deployed, but those were happily resolved. Thank you both for that idea though.

Raj66
Meraki Employee
Meraki Employee

I was doing some digging into the logs we are seeing in the MacBook and it seems like we will see such failures when there are NAT issues between the client and the server (MX). What kind of modem are you using at home? Can you please verify if it is not doing any sort of weirdness with NAT? Also, When connecting from the windows computer and from the IOS devices were you using the same ISP? If no, can you use the cellular hotspot (The connection that is working for the IOS devices) and see if that will make any difference? 

 

Cheers!

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
Nash
Kind of a big deal

Let's sing the "twice nat is not our friends" song. 🙂

 

One dirty way to check for obvious twice nat is run a traceroute from the problem device to your MX. Some providers (especially cellphone hotspots) will give 2-3 private space IPs before you actually get to a public IP.

SoCalRacer
Kind of a big deal

Another check is to use a internet/modem connection you know and trust the config on. Possibly connect a macbook to your phone hotspot and then try. It may rule out common config/hardware between the problem devices/users.

Nash
Kind of a big deal

@bhad0124627 I had one more thought. Have you had support change the encryption settings on your client VPN?

 

I've been testing this morning for something else, and it looks like AES128/DH14 (phase 1) isn't supported by iOS or MacOS since ~2015. Apple devices will do AES256/DH14, but support didn't offer me that as an option.

 

And of course, Windows doesn't support AES128/DH5, so even if that's an option, then Win7/10 won't work...

DaveGM
New here

I had the same issue and fixed it by removing the entire  System Preferences -> Networking -> Location profile and setting up from scratch.  Seems that something breaks in the Location profile so needs to start from scratch.

JustinKing
New here

We have been experiencing same issue with Windows 10 devices using IOS hotspot to connect to VPN.

 

Standard VPN windows stopped working awhile ago due to security patches on our Windows Server, so we switched to IPSEC via Meraki and was all good until last week. 

 

Now devices just hang connecting.

Nash
Kind of a big deal

Windows + R and launch “rasphone”

 

Try connecting to your Meraki client vpn connection using this utility. You should have a drop-down list with all your saved connections. Pick one, then enter your user name and password.

 

Does it connect successfully or give you an error, @JustinKing?

Hi,

 

@Nash No this did not solve the problem.

 

I have spent a fair bit time on this and it looks like a Windows 10 recent update etc has caused this.

 

I connected 1 laptop on exact same version of Windows 10 1903 build (latest) and hotspot my phone all good.

 

2nd laptop hotspot my phone same build does not connect.

 

Machine from home that was connecting no issue before for past year updated on weekend cannot connect now.

 

I see people talking about NAT router etc, but we have never had an issue until past week or so.

2019-08-20_10-35-11.jpg

@Nash after a few updates the rasphone option worked for me on my pc will try on other machines

 

Nash
Kind of a big deal

@JustinKing I'm glad to hear that! Were you able to get it running on your hotspot on a Windows computer? If not, create the registry key mentioned under error 809 on the Meraki client vpn troubleshooting d...

 

If you've got to do NAT Traversal, that key fixes an issue that Windows itself has. Remember to reboot after creating the key.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels