So I'm having som issues with enabling Client VPN on a vMX.
I have enabled Client VPN on the vMX, like I've done many time before, double checked users and shared secret but I just can not seem to get the ClientVPN connected.
My vMx is deployed and online and all green. However, I'm not able to ping the Public IP, but then again I'm not sure if I'm supposed to be able to ping a Public IP in Azure.
I'm testing from my own Mac, and it seems like it can't reach my vMX or the Public IP, which I find odd. I've tried from Home WiFi and Mobile Hotspot.
Log from my Mac:
standard 08:26:41.543802+0100 racoon plogsetfile: about to add racoon log file: /var/log/racoon.log
standard 08:26:41.548326+0100 racoon accepted connection on vpn control socket.
standard 08:26:41.548367+0100 racoon received bind command on vpn control socket.
standard 08:26:41.549439+0100 racoon New Phase 2
standard 08:26:41.549691+0100 racoon state changed to: IKEv1 quick I start
standard 08:26:41.551206+0100 racoon Connecting.
standard 08:26:41.551662+0100 racoon IPsec-SA request for 184.108.40.206 queued due to no Phase 1 found.
standard 08:26:41.551690+0100 racoon New Phase 1
standard 08:26:41.551717+0100 racoon state changed to: IKEv1 ident I start
standard 08:26:41.552022+0100 racoon initiate new phase 1 negotiation: 192.168.1.53<=>220.127.116.11
standard 08:26:41.552161+0100 racoon begin Identity Protection mode.
standard 08:26:41.552201+0100 racoon IPSec Phase 1 started (Initiated by me).
standard 08:26:41.554889+0100 racoon Resend Phase 1 packet f465dd260cf2a981:0000000000000000
standard 08:26:41.554918+0100 racoon state changed to: IKEv1 ident I msg1 sent
standard 08:26:41.554953+0100 racoon IKE Packet: transmit success. (Initiator, Main-Mode message 1).
standard 08:26:41.554996+0100 racoon >>>>> phase change status = Phase 1 started by us
standard 08:26:42.551901+0100 racoon CHKPH1THERE: no established ph1 handler found
standard 08:26:43.651998+0100 racoon CHKPH1THERE: no established ph1 handler found
standard 08:26:44.750392+0100 racoon IKE Packet: transmit success. (Phase 1 Retransmit).
standard 08:26:44.750534+0100 racoon Resend Phase 1 packet f465dd260cf2a981:0000000000000000
standard 08:26:44.750612+0100 racoon CHKPH1THERE: no established ph1 handler found
standard 08:26:45.849827+0100 racoon CHKPH1THERE: no established ph1 handler found
standard 08:26:46.949911+0100 racoon CHKPH1THERE: no established ph1 handler found
standard 08:26:47.826864+0100 racoon IKE Packet: transmit success. (Phase 1 Retransmit).
standard 08:26:47.826919+0100 racoon Resend Phase 1 packet f465dd260cf2a981:0000000000000000
standard 08:26:48.049956+0100 racoon CHKPH1THERE: no established ph1 handler found
standard 08:26:49.149791+0100 racoon CHKPH1THERE: no established ph1 handler found
standard 08:26:50.249824+0100 racoon CHKPH1THERE: no established ph1 handler found
standard 08:26:51.116931+0100 racoon IKE Packet: transmit success. (Phase 1 Retransmit).
standard 08:26:51.116967+0100 racoon Resend Phase 1 packet f465dd260cf2a981:0000000000000000
standard 08:26:51.349793+0100 racoon CHKPH1THERE: no established ph1 handler found
standard 08:26:51.561520+0100 racoon vpn_control socket closed by peer.
standard 08:26:51.561544+0100 racoon received disconnect all command.
standard 08:26:51.561578+0100 racoon IPSec disconnecting from server 18.104.22.168
standard 08:26:51.561608+0100 racoon in ike_session_purgephXbydstaddrwop... purging Phase 2 structures
standard 08:26:51.561635+0100 racoon Phase 2 sa expired 192.168.1.53-22.214.171.124
standard 08:26:51.561657+0100 racoon state changed to: Phase 2 expired
standard 08:26:51.561697+0100 racoon in ike_session_purgephXbydstaddrwop... purging Phase 1 and related Phase 2 structures
standard 08:26:51.562447+0100 racoon IPsec-SA needs to be purged: ESP 192.168.1.53->126.96.36.199 spi=1224736768(0x49000000)
standard 08:26:51.562503+0100 racoon ISAKMP-SA expired 192.168.1.53-188.8.131.52 spi:f465dd260cf2a981:0000000000000000
standard 08:26:51.562527+0100 racoon state changed to: Phase 1 expired
standard 08:26:51.562550+0100 racoon no ph1bind replacement found. NULL ph1.
standard 08:26:51.563059+0100 racoon vpncontrol_close_comm.
From what I see is that the vMX is not even responding. This is also evident from tha fact that there a nothing the the Event Log, about Client VPN establishement.
So I think(!) that there is a route missing from the Azure and into my MX, but I have no idea what that should be. My vMX can easily ping out. I can even ping my own public ip address at home.
I have created a Route Table, which only contains 1 route, the ClientVPN subnet pointing to the IP address of the vMX
I also have a VNet with the subnet of the vMX and ClientVPN, although I'm not certain this should be neccessary yet. Not untill I need to access services in Azure.
Both the Vnet and RouteTable are in the same Ressource Group as the vMX Managed App.
I did not allow the vMX Managed App to create VNets and Subnets. I did that on my own as well.
I've tried setting the ClientVPN on my Mac to both Full Tunnel, and Split Tunne, to no avail.
Looking at the NIC for the vMX VM, there are no NSGs applied, so that should be OK.
Any ideas on what I'm doing wrong?
I've also done a traceroute from my own mac. It seems that it ends somewhere in Microsoft Azure
rbnielsen@The-Gibson ~ % traceroute 184.108.40.206
traceroute to 220.127.116.11 (18.104.22.168), 64 hops max, 52 byte packets
1 192.168.2.1 (192.168.2.1) 4.767 ms 2.304 ms 2.222 ms
2 192.168.1.1 (192.168.1.1) 3.875 ms 2.720 ms 3.169 ms
3 lo0-0.vsk2nqe30.dk.ip.tdc.net (22.214.171.124) 8.201 ms 8.336 ms 8.652 ms
4 ae2-0.fhnqe11.dk.ip.tdc.net (126.96.36.199) 9.542 ms 8.354 ms 9.115 ms
5 ae1-0.alb2nqp8.dk.ip.tdc.net (188.8.131.52) 22.806 ms 16.014 ms *
6 184.108.40.206 (220.127.116.11) 18.571 ms 16.465 ms 25.737 ms
7 ae24-0.ear01.ham30.ntwk.msn.net (18.104.22.168) 21.265 ms 21.480 ms 22.874 ms
8 be-21-0.ibr02.ham30.ntwk.msn.net (22.214.171.124) 44.815 ms
be-20-0.ibr01.ham30.ntwk.msn.net (126.96.36.199) 45.915 ms
be-21-0.ibr02.ham30.ntwk.msn.net (188.8.131.52) 44.947 ms
9 be-4-0.ibr06.ams06.ntwk.msn.net (184.108.40.206) 45.002 ms 45.383 ms 44.945 ms
10 be-6-0.ibr02.ams21.ntwk.msn.net (220.127.116.11) 45.524 ms 46.605 ms 45.491 ms
11 be-9-0.ibr02.dub08.ntwk.msn.net (18.104.22.168) 45.360 ms
be-11-0.ibr02.lon24.ntwk.msn.net (22.214.171.124) 45.643 ms
be-9-0.ibr01.lon24.ntwk.msn.net (126.96.36.199) 174.930 ms
12 ae122-0.icr02.dub08.ntwk.msn.net (188.8.131.52) 45.882 ms
be-8-0.ibr02.dub08.ntwk.msn.net (184.108.40.206) 45.684 ms
ae122-0.icr02.dub08.ntwk.msn.net (220.127.116.11) 45.110 ms
13 ae120-0.icr01.dub08.ntwk.msn.net (18.104.22.168) 59.649 ms * *
14 * * *
No. There will be an existing NSG (network security group) controlling inbound access. You'll want to add icmp, udp/500 and udp/4500.
There really isn't any other place I can define the network security groups.
There's there Resource Group shown above with the VM, Nic, Public IP and Disk, and then there is an RG with the Managed App, VNet and a Routetable.Finally, there is a NetworkWatcherRG in which I can't really do any changes.
The 'mrg-cisco-meraki-vmx-XX' is the one that gets created when deploying the Meraki Managed App in Azure, and it seems to be Read Only, so I can't really modify its settings.
So, I dug a bit deeper into this, and had the opportunity to have a conference call both with Meraki Support, as well as Microsoft Azure Support.
It seems that the main reason why I couldn't get ClientVPN to work was because ports 500 and 4500 were being blocked. I was not able to open those ports by applying an NSG, due to a vendor policy from Meraki on the vMX RG.
Also, it seems that the Public IP SKU being deployed from the managed app, was randomly being chosen as a "Standard" IP SKU, which apparently has some default port blocked. If the deployed IP SKU is "Basic" ClientVPN will work.
The only way around this, is a redeployment of the vMX..
I'll probably add some more on this, after I've done some more testing, and sharing these results with Meraki Support.
Hi rbnielsen, your post is interesting. I'm facing the same issue with vMX and VPN Client.
The only way to make it work is with IP Basic SKU? Or, is there any other alternative?.
Please let me know.
Have a great day.
As far as I know, there is no alternative. My ticket is still open with meraki development team, and there is still no update as of yet.
You'll need to deploy the vMX in Availability Zone "None" to get a Basic IP SKU, in order to get ClientVPN to work on a vMX.
@rbnielsen, Did you manage to redeploy vMX? I faced the same problem and since the only workaround is redeployment I'd like to know if there is a recommended redeployment way. I noticed there were some problems with redeployments end up with the Meraki support team. The vMX is in a production environment in my case and there is not much tolerance to a support ticket response time.
@UmutYasar, redeploying the vMX, isn't that huge of a deal. It's just deleting the managed app from Azure, and (if you feel like it) deleting the Ressource Group.
I have yet to find out if there is anything to do once, the vMX has been deployed and in production. Like I said - my ticket with Meraki Support is still open, waiting for them to determine a solution that doesn't neccessary require a redeployment.
Unfortunately, I suspect that is the only solution.
I deployed a vMX today and the default was the "Basic" public IP SKU so I didn't run into the UDP 500 and 4500 issue.
Client VPN was failing to connect to my vMX. I was getting a Windows Error 809. I fixed it following the instructions in this document:
Value data: 2
I hope this helps someone.
Make sure you reboot after the registry change.
If it still doesn't work I suggest connecting to a phone hotspot too just to eliminate any packet issues from your local firewall or ISP.
Is there any alternative to redeploying the VMX please ?
I'm also in the same case. I have a Basic SKU on my public address.
Thank you !
I contacted support last month.
I inquired whether the following matter is a bug or a specification.
* If AZ is set to None, the Public IP SKU is deployed as Basic. Client VPN works when SKU is Basic.
* If AZ is set to 1 - 3, the Public IP SKU is deployed as Standard. Client VPN does not work when SKU is Standard.
This matter appears to be undetermined / undefined.
It is not a bug, as it is not yet determined / undefined.
It is not a specification, as it is not yet determined / undefined.
Since it is neither a bug nor a specification, it does not appear to be documented.
I have provided feedback to be documented, but I don't know what will happen.