This document is a guide for administrators and users while troubleshooting Client VPN issues. Use this document to identify and resolve Client VPN issues faster.
No Users Can Connect:
Is the MX Online?
Ensure your MX is online and accessible over the internet. You can verify internet connectivity using the Ping appliance button on the Tools tab of the appliance status page. (Security & SD-WAN > Appliance status > Tools > Ping appliance)
Upstream NAT / Firewall Issue on the MX Side
If your MX is behind a NAT device (e.g. an upstream router or ISP modem), the MX uplink IP will most likely have a private IP from 172.16.X.X or 192.168.X.X or 10.X.X.X subnet range. Ensure UDP traffic on ports 500 and 4500 is being forwarded to the private uplink IP address of the MX. Also, verify if there are any firewalls blocking UDP traffic on ports 500 or 4500.
Take a packet capture on the WAN interface of the MX and confirm that traffic from the public IP of the VPN client and UDP port 500 and 4500 traffic is reaching the MX.
If you are receiving authentication errors, reverify the username, password, and shared secret. Try a different authentication method other than the one you are using, like Meraki Cloud Authentication, RADIUS, or Active Directory. Refer to this KB if you are unable to connect with any of the authentication methods.
Shared Secret Mismatch
If you are not sure what the shared secret is, retrieve it using Show secret on the dashboard Client VPN page. VPNs require the shared secret to match on the VPN server and client before tunnels can be established. Try changing your shared secret to eliminate the shared secret issue.
Some Users Can Connect:
VPN Adaptor Configurations / Windows Update
A frequently seen issue is the VPN adaptor settings changing after a Windows update. If your VPN was working and has stopped connecting, check for bidirectional traffic between the VPN client and MX by taking a packet capture. If you see bidirectional traffic and are still unable to connect, review the VPN configuration settings. Please use this KB to verify or reconfigure your Windows VPN settings. Meraki is working on a long-term solution for this issue. You can also explore the Systems Manager Sentry option, which refreshes your VPN settings periodically to ensure your adaptor settings align with configurations on the VPN server.
Common Windows Errors 789, 691, etc
If a Client VPN connection is failing to establish from a Windows device, but no error message appeared on the screen, the Event Viewer can be used to find an error code associated with the failed connection attempt:
Step 1. Press the Windows key and type "Event Viewer," then click on Event Viewer in the search results.
Step 2. In Event Viewer, navigate to Windows Logs > Application.
Step 3. A Client VPN connection failure should show up as an Error event type. Clicking on the event will show the associated error code.
Refer to the Troubleshooting Client VPN KB to troubleshoot common Windows errors.
Another common issue with VPN connections from Windows devices is the SmartByte application. If it is installed, please try uninstalling it and reinitiating your VPN connection.
Not many Client VPN connection issues are seen with macOS devices. If you do, try to connect on a different Mac device and OS version.
Mobile users usually have little or no trouble connecting. If you are having issues, double-check your configuration. Try resetting your network settings and reconfigure. See the Client VPN OS Configuration KB. If you are trying to connect over cellular, it could be an issue with your cellular provider. Try connecting via Wi-Fi.
Other Possible Issues and Solutions
Firewall Issue on Client Side: If UDP traffic on port 500 and 4500 is not reaching the MX, there are high chances that UDP traffic on those ports is being blocked by another firewall between the end client and the MX. You may have to check the firewall rules or access control lists between the client and MX. Try connecting from a client device using a different ISP.
Device Issue: You could be running into an issue specific to the device. Try connecting with a different device to verify if it is a device-specific issue. Try resetting your network settings or reset the device if possible.
User Account Issue: If your account is not authorized to connect to VPN or your credentials are wrong. Try resetting your password or connecting with a working set of credentials to further isolate the issue.
Can Connect to VPN but…
Cannot Access Resources
If you are connected to the VPN but cannot access resources, a common cause is due to subnet overlap between the local client network and the network the resource is in. If the local network you are on has the same IP address as the network you are trying to get to, your request will never make it through the tunnel. To validate this, test with the full tunneling option to see if it makes a difference. See the Troubleshooting Client VPN KB for guidance.
Accessing Resources over the Tunnel via IP vs. DNS
If you are unable to access resources via domain name (DNS), try accessing via IP. If you succeed accessing via IP, it could be a DNS issue. Try to resolve the DNS host name and confirm if the public IP of the MX is being returned. If you are unable to resolve the DNS host name, check the local DNS settings.
Connection is Slow
If you are connected but your connection is slow. First, identify if your connection is slow to everything over the tunnel or specific internal resources. If your connection is slow to an application but fast to other resources via the tunnel, then it’s most likely not a VPN issue.
You can also run speed tests if traffic is fully tunneled. VPN speeds depend on a lot of factors, including bandwidth on the MX and client side, number of clients connected to MX, number of VPN tunnels on the MX, etc.
- Configuration guidance
- Encryption Methods
- Using two-factor authentication for Client VPN
- Taking dashboard packet captures
- Client VPN scaling and load sharing
- Configuring split tunneling
- Client VPN monitoring: To monitor Client VPN users, filter by "Client VPN" & "Connected" on dashboard > Network-wide > Clients and search the drop-down menu
- Licensing: Additional licensing is not required for Client VPN. Client VPN is included in Enterprise, Advanced Security, and Secure SD-WAN MX licensing.