Client access VPN can't access site-to-site VPN resources on my MX-64

Solved
Alain_Bensimon
Getting noticed

Client access VPN can't access site-to-site VPN resources on my MX-64

I Have a site to site VPN setup (10.69.10.0/24) in my MX-64 (10.69.11.99) and a client VPN (subnet 10.69.69.0/24). 

I can access all remote resouces from the office where the MX-64 is located.

When I connect through the VPN, I have access to all local resources, but I can't access the remote resources of the site to site VPN.

I have added the route in the client VPN configuration.

I can see in the routes of the computer

Alain_Bensimon_0-1642003586806.png

I can't ping or access the remote resources.

When I made a tracert, I reach the MX-64 and nothing further

Alain_Bensimon_1-1642003661818.png

 

Thank you.

 

1 Accepted Solution
Alain_Bensimon
Getting noticed

I have been able to fix the issue.

My mistake was to think that if A is connected to B, and B is connected to C, A would be automatically able to use C resources.

I had to add the A subnet in the remote subnets of C and it worked.

 

View solution in original post

22 Replies 22
kkwok
Here to help

I have only 2 user has similar issue with connectivity from home. I have others are fine.

Client error: The L2TP connection attempt failed because the security layer encountered a processing error during initial negations with the remote computer. 

 

 

JonBLong2
Conversationalist

Your issue is Windows update related, have user remove windows patch KB5009543 and reboot, will work fine afterwards.

march77
Comes here often

Or KB5009566

From an elevated cmd prompt: 

wusa /uninstall /kb:5009543

wusa /uninstall /kb:5009566

... rebooting now to see if it fixed the issue

 

Yep, 5009543 was not installed but 5009566 was installed this am.

ran wusa /uninstall /kb:5009566 and reboot fixed issue - now able to logon/authenticate Meraki VPN.

march77
Comes here often

Yep, 5009543 was not installed but 5009566 was installed this am.

ran wusa /uninstall /kb:5009566 and reboot fixed issue - now able to logon/authenticate Meraki VPN.

Stephan_W
Conversationalist

Worked great! Thanks for the hat tip! 

Alain_Bensimon
Getting noticed

This is not related to my problem. all clients successfully connect to the VPN.

You should create anotre case.

PaulMcG
Getting noticed

Have you enabled Client VPN subnet in the site-to-site VPN settings?

Alain_Bensimon
Getting noticed

you mean here?

Alain_Bensimon_0-1642012036108.png

 

PaulMcG
Getting noticed

I just noticed in the image of routing from your first post you have a route for 10.69.10.0/24 but none for 10.69.11.0/24.  Is your VPN configured to be full or split tunnel?

Alain_Bensimon
Getting noticed

the 10.69.11.0/24 is the local office where the MX-64 is located.

I don't need a route, I already have access.

My VPN is split tunnel.

 

PaulMcG
Getting noticed

Are there any Layer 3 firewall rules on either MX that might be blocking the subnet?

ww
Kind of a big deal
Kind of a big deal

That would be the vpn fw rules 

Alain_Bensimon
Getting noticed

No rules at all.

Titan_Alpha
Conversationalist

I had an issue like this. I built a Powershell script that runs and sets all the necessary routes, security options, password, and the registry key needed for this to work. I have multiple sites so you can comment out what you dont need if only one.

This checks for the registry entry and adds if not there, deletes all current VPN connections with the same name (in case you need to make an edit,) then recreates them base on the names, routes via CDIN, and sets the password. Hope this helps. This allows me to hit all of my MX networks at all my sites with no issues.

 

$check_instal = (Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent').AssumeUDPEncapsulationContextOnSendRule
$TunnelType = "L2tp"
$AuthMethod = @("MSChapv2","Pap")
$EncryptionLevel = "Required"
$IdleDisconnect = 1800
$sharedkey = "yourpassword"

    if ($check_instal -Match 2) { #Is the system configured for UDPVPN?
		# Cisco VPN is already set.
	    } else {
			$RegistryPath = "HKLM:\System\CurrentControlSet\Services\PolicyAgent"
			$RegName = "AssumeUDPEncapsulationContextOnSendRule"
			$Regvalue = 2
			New-ItemProperty -Path $RegistryPath -Name $RegName -Value $Regvalue -PropertyType DWORD -Force
    }

    function create_VPN ($VPNConnectName, $ServerAddress, $TunnelType, $AuthMethod, $sharedkey) {
        try {
            Remove-VpnConnection -Name $VPNConnectName -AllUserConnection -Force -erroraction 'silentlycontinue'
	        Add-VpnConnection -Name $VPNConnectName -ServerAddress $ServerAddress -TunnelType $TunnelType -AllUserConnection -AuthenticationMethod $AuthMethod -EncryptionLevel Optional -L2tpPsk $sharedkey -RememberCredential -Force
        } catch {
           # Save the error, which is a [System.Management.Automation.ErrorRecord]
           # instance. To save just a the *message* (a string), use 
           # err = "$_"
           #$err = $_ 
         }    
        Set-VpnConnection $VPNConnectName -SplitTunneling $True -AllUserConnection
        Add-VpnConnectionRoute -ConnectionName $VPNConnectName -DestinationPrefix CDINOFROUTE
        Add-VpnConnectionRoute -ConnectionName $VPNConnectName -DestinationPrefix CDINOFROUTE 
        Add-VpnConnectionRoute -ConnectionName $VPNConnectName -DestinationPrefix CDINOFROUTE
        Add-VpnConnectionRoute -ConnectionName $VPNConnectName -DestinationPrefix CDINOFROUTE
        Start-Sleep -Milliseconds 100
    }

	#Create VPN Connection
	$VPNConnectName = "name of vpn 1"
	$ServerAddress = "paste MX URL here"
    create_VPN $VPNConnectName $ServerAddress $TunnelType $AuthMethod $sharedkey $IdleDisconnect

	#Create VPN Connection
	$VPNConnectName = "name of vpn 2"
	$ServerAddress = "paste MX URL here"
    create_VPN $VPNConnectName $ServerAddress $TunnelType $AuthMethod $sharedkey $IdleDisconnect

	#Create VPN Connection
	$VPNConnectName = "name of vpn 3"
	$ServerAddress = "paste MX URL here"
    create_VPN $VPNConnectName $ServerAddress $TunnelType $AuthMethod $sharedkey $IdleDisconnect

    #Set "Register this connection's addresses in DNS" to True and sets appropriate DNS settings for all connections
    $RASPhoneBook = “C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk”
    (Get-Content $RASPhoneBook) -Replace ‘IpDnsFlags=0’, ‘IpDnsFlags=1’ |
    Set-Content $RASPhoneBook

 

 

Titan_Alpha
Conversationalist

As a follow up, my settings are as follows on my site to site page on the MXs.

 

Site to site VPN

-Hub

VPN Settings

-Client VPN - Enabled

-Nat traversal - Automatic

OSPF

-disabled

Org Wide Settings

-sit to site outbound firewall rule is the default any to any

 

 

Stopherman
Conversationalist

Removing the update fixes the issue. 

Alain_Bensimon
Getting noticed

None of these updates are installed on my computers.

Stopherman
Conversationalist

I would think you then have another issue.  Did you have a working VPN Client before, and now you cannot get it working?  Are you certain you don't have ANY updates installed from 1/11 ?

Alain_Bensimon
Getting noticed

100% sure.

and my issue is not to connect to the VPN, it works fine. I just can't access the remote site to site vpn, but I can access all my network resources through the vpn.

Titan_Alpha
Conversationalist

Hey Alain, 

Any way you could show the entire Route Print? I don't see the metric for your internal NICs route. I once had an issue with this and it was due to my metrics being incorrect. Not saying yours is, but I have seen it. Also, does the client have the AssumeUDPEncapsulationContextOnSendRule registry setting like in my script?

Alain_Bensimon
Getting noticed

there it is

 

Alain_Bensimon_0-1642038731180.png

 

and here is the script I've been using for a couple of years. I've just added  10.69.10.0/24 to the rotes today, but it didn't help.

 

# Path for the phonebook.
$PbkPath = Join-Path $env:PROGRAMDATA 'Microsoft\Network\Connections\Pbk\rasphone.Pbk'

# Update these variables with the actual VPN name, address, and PSK.
$ConnectionName = 'ABC VPN'
$ServerAddress = 'cisco-******-wired-********.dynamic-m.com'
$PresharedKey = '*************'

# If no VPNs, rasphone.Pbk may not already exist.
# If file does not exist, then create an empty placeholder.
# Placeholder will be overwritten when new VPN is created.
If ((Test-Path $PbkPath) -eq $false) {
    $PbkFolder = Join-Path $env:PROGRAMDATA "Microsoft\Network\Connections\pbk\"
    if ((Test-Path $PbkFolder) -eq $true){
        New-Item -path $PbkFolder -name "rasphone.pbk" -ItemType "file" | Out-Null
    }
    else{
        $ConnectionFolder = Join-Path $env:PROGRAMDATA "Microsoft\Network\Connections\"
        New-Item -path $ConnectionFolder -name "pbk" -ItemType "directory" | Out-Null
        New-Item -path $PbkFolder -name "rasphone.pbk" -ItemType "file" | Out-Null
    }
}

# If VPN exists, delete VPN connection so you can build fresh.
Remove-VpnConnection -AllUserConnection -Name $ConnectionName -Force -EA SilentlyContinue

# Adds the new VPN connection.
Add-VpnConnection -Name $ConnectionName -ServerAddress $ServerAddress -DnsSuffix 'int.nomoist.net' -AllUserConnection -TunnelType L2tp -L2tpPsk $PresharedKey -AuthenticationMethod PAP -EncryptionLevel Custom -Force -WA SilentlyContinue

# Sets the VPN connection to split tunnel.
# Comment out for full tunnel.
# Note: Some PCs get angry w/o a short rest to process Add-VPNConnection
Start-Sleep -m 100
Set-VpnConnection -Name $ConnectionName -SplitTunneling $True -AllUserConnection -EncryptionLevel Custom -WA SilentlyContinue

# If you need parameters to add metrics or for IPv6 subnets, open Powershell and run:
# get-help add-vpnconnectionroute -full
# This will give the full list of valid parameters for Add-Vpnconnectionroute and
# instructions for using them.

# Adds the route for the interesting subnet
# $RouteList is an array of interesting subnet(s) with CIDR mask
# Split tunnels must have at least one route.
# Comment out for full tunnel.

$RouteList = @('10.0.1.0/24', '10.1.0.0/16', '10.2.0.0/16' , '192.168.254.22/32' , '10.69.10.0/24')
Foreach ($Destination in $RouteList)
{
    Add-Vpnconnectionroute -Connectionname $ConnectionName -AllUserConnection -DestinationPrefix $Destination
}

# Load the RASphone.pbk file into a line-by-line array
$Phonebook = (Get-Content -path $PbkPath)

# Index for line where the connection starts.
$ConnectionIndex = 0

# Locate the array index for the [$ConnectionName] saved connection.
# Ensures that we only edit settings for this particular connection.
for ($counter=0; $counter -lt $Phonebook.Length; $counter++){
    if($Phonebook[$counter] -eq "[$ConnectionName]"){
        # Set $ConnectionIndex var since $counter only exists inside loop
        $ConnectionIndex = $counter
        break
    }
}

# Starting at the $ConnectionName connection:
# 1. Set connection to use Windows Credential (UseRasCredentials=1)
# 2. Force client to use VPN-provided DNS first (IpInterfaceMetric=1)

# Setting the IpInterfaceMetric to 1 will force the PC to use that DNS first.
# Some companies have local domains that overlap with valid domains
# on the Internet. If VPN-provided DNS can resolve names on the local domain,
# then end user PC will get the correct IP addresses for private servers.
# Otherwise, the PC will use a public DNS resolver.

for($counter=$ConnectionIndex; $counter -lt $Phonebook.Length; $counter++){
    # Set RASPhone.pbk so that the Windows credential is used to
    # authenticate to servers.
    if($Phonebook[$counter] -eq "UseRasCredentials=1"){
        $Phonebook[$counter] = "UseRasCredentials=0"
    }

    # Set RASPhone.pbk so that VPN adapters are highest priority for routing traffic.
    # Comment out if you don't want to try VPN-provided DNS first.
    elseif($Phonebook[$counter] -eq "IpInterfaceMetric=0"){
        $Phonebook[$counter] = "IpInterfaceMetric=1"
        break
        # IpInterfaceMetric comes after UseRasCredentials, so break will cancel
        #   our loop once we're done with it.
    }
}

# Save modified phonebook overtop of RASphone.pbk
Set-Content -Path $PbkPath -Value $Phonebook

# Create desktop shortcut using rasphone.exe.
# Provides a static box for end users to type user name/password into.
# Avoids Windows 10 overlay problems such as showing "Connecting..." even
# after a successful connection.

# Create a desktop shortcut
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut("$env:Public\Desktop\Polygon VPN.lnk")
$ShortCut.IconLocation = "C:\WINDOWS\system32\SHELL32.dll, 135"
$Shortcut.TargetPath = "rasphone.exe"
$Shortcut.Save()

# Prevent Windows 10 problem with NAT-Traversal (often on hotspots)
# See https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
# for more details
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent"
$name = "AssumeUDPEncapsulationContextOnSendRule"
$value = "2"
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null

 

 

Alain_Bensimon
Getting noticed

I have been able to fix the issue.

My mistake was to think that if A is connected to B, and B is connected to C, A would be automatically able to use C resources.

I had to add the A subnet in the remote subnets of C and it worked.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels