Skip to main content
Cisco Meraki Documentation

Unable to Connect to Client VPN from Some Devices

  1. Last updated
  2. Save as PDF

For troubleshooting issues where some client VPN users are unable to connect. If no users can connect, see All Client VPN Users Unable to Connect.

Windows Users

Windows Update

Performing a Windows update might affect VPN or network adapter configurations. If the VPN connection stops working an update, take a packet capture to verify bidirectional traffic is occurring between the VPN client and MX. See Troubleshooting Client VPN with Packet Captures for more information.

If bidirectional traffic is occurring and the VPN connection continues to fail, review the VPN configuration settings. See Client VPN OS Configuration for more information.

Sentry VPN helps admins configure and deploy client VPN profiles directly to Systems Manager-enrolled devices across platforms.  Enrolled devices can then connect to VPN without additional end user configuration. See Systems Manager Sentry Overview for more information.

Common Windows Errors

If a client VPN connection is failing to establish from a Windows device, but no error message appears on the screen, use the Windows Event Viewer to find an error code associated with the failed connection attempt:

  1. On the affected device, press the Windows key and type Event Viewer
  2. From the search results, click on Event Viewer
  3. In Event Viewer, navigate to Windows Logs > Application
  4. Search the Error events for the connection failure
  5. Click the event to review the associated error code and details

Some common errors are listed below. See List of error codes for dial-up connections or VPN connections in Microsoft Documentation for a complete list.

Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer

Ensure that the proper protocols are selected under Authentication options in the VPN properties

Control Panel > Network and Sharing Center >  Change adapter settings 

1. Right click the desired VPN connection and select properties
2. Select the security tab
3. Ensure Unencrypted password (PAP) is selected under allow these protocols  

Meraki Event Log

Example event log entries. See Meraki Event Log for more information:

Jul 2 13:53:20 VPN msg: invalid DH group 19.
Jul 2 13:53:20 VPN msg: invalid DH group 20.

This issue might not appear in the event log if the client traffic does not successfully reach the MX WAN interface.

Possible Causes and Solutions

Incorrect secret key (pre-shared key)

Ensure that the shared secret is configured correctly on the client machine. It must match between the MX and the client. For more information about setting the shared secret, see Client VPN OS Configuration.

Firewall blocking VPN traffic to MX

Ensure UDP ports 500 (IKE) and 4500 (IPsec NAT-T) are being forwarded to the MX and not blocked. If traffic cannot reach the MX on these ports, the connection will time out and fail.

IKE and AuthIP IPsec keying modules disabled

This might occur if third-party VPN software has been installed and disables the IKEEXT service. To reenable the service:

  1. On the affected device, press the Windows key and type Control Panel
  2. From the search results, click on Control Panel
  3. Navigate to Administrative Tools > Services
  4.  Find the service named "IKE and AuthIP IPsec Keying Modules" and double-click to open
  5. Select Automatic from the Startup type drop-down menu

 If the service automatically reverts to Disabled, or fails to start, remove the third-party VPN software.

Windows Error 691

Error 691: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server

Meraki Event Log

Example event log entries. See Meraki Event Log for more information:

Jul 2 14:00:40 VPN msg: not matched
Jul 2 14:00:40 VPN msg: ISAKMP-SA established 82.35.46.78[4500]-174.45.35.220[4500] spi:b74e92b3b5360c16:ce602504804696a9
Possible Causes and Solutions

Invalid user credentials

Confirm user credentials are correct.

  • When using Meraki authentication, usernames should be in email format (ex. user@example.com)
  • When using AD or RADIUS authentication, be sure to enter the username in a format that will be recognized by the server, including the domain if needed (ex. DOMAIN\user)

User not authorized

If using Meraki authentication, ensure that the user has been authorized to connect to the VPN. See Client VPN Overview for more information.

No certificate on AD server

If using Active Directory authentication with Client VPN, make sure the AD server has a valid certificate for TLS. See Configuring Active Directory with MX Security Appliances and Certificate Requirements for TLS for more information.

Incorrect DNS name resolution from the MX's upstream DNS server

  • ​​​If the MX is configured with an ISP DNS server, change this to a non-ISP public DNS server such as Google 8.8.8.8 
  • A mismatch of pre-shared keys between a RADIUS server and MX might result in bad encryption of the password
    • Change the pre-shared key in the Meraki Dashboard and the RADIUS client on the server
    • If this resolves the error, verify the secret used is correct on both devices
    • Use a less complex password if necessary 

Windows Error 720

Error 720: A connection to the remote computer could not be established. You might need to change the network settings for this connection.

Possible Causes and Solutions

Client VPN Subnet IP Pool is Empty

Confirm by searching the Meraki Dashboard Event Log for the event type VPN client address pool empty.  See Meraki Event Log for more information.

To resolve, configure a larger subnet size for client VPN users. Note that one IP in the subnet is reserved for the MX security appliance, so a /24 subnet which provides 254 usable IP addresses will allow for 253 VPN clients to connect, assuming the MX model supports that many concurrent users. See the MX Sizing Principles guide for exact numbers.

WAN Miniport is Corrupted

Reinstall WAN Miniport devices:

  1. On the affected device, press the Windows key and type Device Manager
  2. From the search results, click on Device Manager
  3. Expand the Network Adapters group
  4. Right-click all the network adapters beginning with WAN Miniport and then select Uninstall device
  5. From the menu, select Action > Scan for hardware changes to reinstall the WAN Miniport devices

For more information, see "Error 720: Can't connect to a VPN Connection" when you try to establish a VPN connection in Microsoft Documentation.

SmartByte application

VPN connections might encounter issues on Windows devices with the SmartByte application. If it is installed, try uninstalling it and reinitiating your VPN connection.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-to
  2. Tags
    This page has no tags.