VPN instability while connected to Meraki APs

Dilev
Comes here often

VPN instability while connected to Meraki APs

Hi everyone,

 

We are having quite a strange issue with our company setup and Meraki Access Points that we can't get find a fix for and I am hoping that some of the experts here can give us some fresh ideas and advises on how to tackle it.

 

In our office, we have 4 Meraki access points that spaced out throughout the office to provide full coverage.

Our development and QA team are connecting to the company wireless and performing various test using Geoedge VPN to hop from location to location. Since about a month ago the VPN started disconnecting them frequently and some times they are completely unable to connect to any location. At first, we thought that the problem is with the VPN client itself, so we moved a few devices to mobile hot spots using the telephone providers mobile network. While on the mobile hot spot, the frequent VPN disconnections and inability to connect to the different locations is no longer observed.

Our company Firewalls are set up to permit the traffic from the APs to any destination and any port without restrictions. The APs are setup in bridge mode, so the Firewall is assigning the IP addresses to the hosts that connect and the only layer 3 firewall rule that we have set up on the AP is to block peer-to-peer connections.

As a test, I created a new SSID that has the Meraki to performing the DHCP IP assignment and with the layer 3 firewall rule to block destination "Local LAN". With this setup, the users connecting to the Wireless are assigned random IP address and have no LAN connection to one another, however, upon testing, we are still seeing the same behaviour with a slight improvement(the VPN disconnections are not happening as often).

 

During all tests, I've had a constant ping from one of the hosts to the AP to which it is connected and there aren't any packets dropped. Some of the devices we are testing this behaviour with are connected to different APs in the office but on the same TEST SSID.

We have not ruled out the possibility that the VPN client or/and the servers we are trying to connect are causing the issue, but since we do not observe this issue while connected to a mobile hotspot, we have our doubts at the Meraki AP at the moment.

 

I would appreciate any suggestions/advises on what else we can do from Meraki point of view, to further troubleshoot the issue and hopefully fix it.

 

Thanks,

Desislav

 

8 Replies 8
cmr
Kind of a big deal
Kind of a big deal

Try connecting the users to the wired network in the same subnet and using the same DHCP server as the original wireless setup.  If that fixes it then it is definitely something in the wireless setup, if not it is the firewall.

 

What code 26.6.1 etc. are the APs running, was that changed around the time the issues started?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Dilev
Comes here often

Hi,

 

Thank you for your reply!

 

Connecting a PC with a cable to the same subnet is some I was going to test later today.

I do not see how the Firewall can be causing the issue is our case, as it is passing the traffic from the Wireless without inspecting it, the policy allows any destination and port. The idea is to have an unrestricted network with full access to the internet for testing purposes.

The Current version on the APs is: MR 25.11 .

cmr
Kind of a big deal
Kind of a big deal

@Dilevone of the first things I learnt in networking is just because you have set something up to behave in a certain way, never assume that it is!  All too often I have found that a firewall allow all policy is still inspecting traffic and dropping some...  Of course this may not be the issue for you, but always worth verifying.  Also you are running a somewhat old version of the AP software, but I wouldn't upgrade until you have done the wired test.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
hellomike
New here

cx 

Thanks
Dilev
Comes here often

Hi @cmr 

We performed the wired test as you suggested. We connected a laptop to one of our switches and changed the vlan to make the host in the same network as the Wireless devices and we did not observe the issue. I think we can conclude that the issue appears to be only when on Wireless connection. Is there anything else you recommend we can change (configuration wise), in order to try and fix the issue or is upgrade going to be the next step?

 

Regards,

Desislav

cmr
Kind of a big deal
Kind of a big deal

Okay, as it seems to be either down to the APs, or the wireless drivers on the laptops, I'd check to see if they have been recently upgraded first, due to you having not done a wireless AP software upgrade for a while.  If they have had an upgrade then downgrade one to check.  If not, and as a best practice anyway, upgrade the APs to the current stable 25.13 or the stable release candidate 26.6.1.  Before you do that please reply with the AP model(s) you have, as this might influence which of those to choose.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Dilev
Comes here often

Hi @cmr , all APs are MR18 on version 25.11 last upgraded on the 7th of May 2018. I doubt a software update on the clients is causing the issue, as we have tested with a few mobile devices (both android and apple), 2 windows laptops and a Mac and all of them were having the same issue.

I am leaning towards upgrading the APs to a newer version. What are your thoughts on the stable release candidate? Is it a stable enough release that we can upgrade to or it would be wiser to stick with the Stable release of MR 25.13?

cmr
Kind of a big deal
Kind of a big deal

We use 26.6.1 across 100+ APs at all our sites and it is better than 25.13.  However, the oldest AP model we have in production is the MR32.  For you with MR18s I'd go with 25.13 first as the 25 release train definitely supports the MR18 model.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels