I’m fairly new to troubleshooting VPN issues. Ours goes through our Meraki and the access list is managed there along with a preshared key. Some users are 100% fine for a year+. Some users get an error message which is usually cleared up by deleting and setting up the client VPN settings again.
Meraki’s event log captures the user trying to connect, but it deletes their IKE_SA when the user gets an error. Usually error 789. The logs are fairly shallow. What program can I use to better troubleshoot the causes of this annoying non persistent issue?
We use Meraki and the built in Windows VPN client - what you’re experiencing is normal. Some users will have no problems, or when they do have an issue while connecting then try again later it works fine.
Other users when they have an error during connecting, Windows resets some of the VPN settings > Advanced Settings for that VPN profile and you have to go back in and re-set it up.
When this happens you usually have to go back in to Network Connections and fix settings for the VPN device for that specific profile as well (Control Panel > All Control Panel ITems > Network Connections)
I think I saw Error 789 as well and the fix was to go back through the VPN settings and the network connection settings for the VPN connection and make sure Windows didn’t delete or change some of the settings, which it often does.
I didn’t find anything that helped narrow down the exact hiccup and there seemed to be no pattern other than the issues started when a user was in the middle of connecting and the connection fails for whatever reason > at that point, it’s all about going back through and re-setting up the connection details/adapter settings for the VPN.
We have had nothing but issues with the meraki vpn using windows vpn client. Often clients cannot connect or the vpn setting randomly change on a workstation with no reason why.
I was at a MSP and we had dozens of Meraki orgs running client VPNs and ran into all kinds of disconnection issues.
Windows 10 VPN sucks to begin with, sometimes it randomly just needs to be deleted and recreated. You should have a powershell command on hand to rebuild it, you can do it remotely with the -alluserconnection switch (just means it goes to every user on the workstation instead of current logged in user)
Also in my experience 99 times out of 100 if the Meraki’s concurrent VPN user count is within specs of the appliance, it’s the user’s home internet. Some home ISPs are worse than others. But as we know in IT sometimes the battle is simply proving the answer.
Tools that I find handy for this: Nirsoft full eventlog view, this will consolidate all of the applications and services event logs into 1 view, then you can filter by timestamp, pick a 5 minute window around the time of the event you see in the Meraki. You’ll likely see some network related blip before the VPN disconnects on their computer, this can be run after the fact it’s not in real time.
In the Meraki itself there is a section for uplink connectivity, I like to put a user’s home IP as a destination (you can have whatever you want here, it doesn’t impact the Meraki’s failover process, one time it had to be the owner of the company.
Your only other option is when they release AnyConnect for Meraki which is “coming soon” . Or if you have an on prem server, spin up VM for RRAS by SSTP or L2TP and forward the ports.
We use the Meraki as our backup and have it configured like you. Do you change the options for the adapter to require authentication and do not remember sign in info? We are consistently battling users who we set it to remember sign in info and whenever they change their password we have to remote in and fix it for them.
The org I work for uses the Meraki client VPN for some of our users. We get this incredibly regularly. We’ve found that it’s correlated with Windows updates. When major updates go through, there is a higher risk of this exact error code occurring. The workaround is to just remote into the user’s machine, remove the VPN, and add it back in. It has something to do with the L2TP PSK getting corrupted in Windows. Removing and reinstalling the VPN profile always works.
The company I have recently joined use it and the previous lunatic in charge set it up straight to our DC with a PPTP connection. On probably 75% of users, there routers will block the connection simply because of our insecure it is. I’m currently in the process of upgrading firewalls to WatchGuard so we can set up the Watchguard SSL VPN
We are a Meraki shop, and we had a lot of issues with Windows VPN. The solution for us was to stop using the icon in the system tray to connect to VPN. Tons of issues with disconnects etc, the thing just spinning and never connecting, or disconnecting.
Instead we put a shortcut to C:\Windows\System32\rasphone.exe on the desktop, and have users use this to connect, since doing this we rarely have an issue where someone cant connect.
The only issues we see now once in a blue is a user gets disconnected from VPN for whatever reason, and cant get back on. WIndows kicks out an error about the VPN connection not responding, but the solution is to reboot the users cable modem to “free up” the connection that didnt close properly.
We use MS Always On with Checkpoint and AD-issued machine certs, and we don’t have any problems at all. (apart from the usual crap with Always On not releasing sessions after users log off. I wound up making a script that drops connections older than 72 hours to keep DHCP-addresses available for connections)
I didn’t believe out Helpdesk tech when they said they set up the advanced settings to the adapter then I would look and it was back to the defaults. Then I did it for a user and experienced the same thing. Such a PITA.
Oh yes, I forgot to mention this part because I’m so used to readjusting these security settings. Specifically ours always reverts back to MSCHAP2 and we have to uncheck that, then check PAP.
If I’m unable to assist remotely or it’s for an on call tech in the middle of the night, they just have instructions to remove and re add their entire VPN connection.
Really what I’m looking for is a protocol analyzer I guess… But it’s such a dumb, random issue so it’s hard to duplicate.
We always have to change from mschapv2 to PAP. And then sometimes during that process the user and pass will reset and it will say general authentication. It’s almost like you can get stuck in an endless loop trying to change one and then the other setting resets…
I usually end up having them remove and re add their entire vpn connection.
I’m not sure about a user changing the password though. I set that their passwords the Meraki dashboard. I guess they’d be able to sign into the dashboard themselves with that info… I haven’t had anyone try that quite yet.
First time or two I figured I just completed missed it but then overtime I began to see the patterns. Did a lot of Googling and saw it wasn’t just me, felt much better after that.
. Or if you have an on prem server, spin up VM for RRAS by SSTP or L2TP and forward the ports.
