Skip to main content
Cisco Meraki Documentation

Unable to Connect to Client VPN from All Devices

This article provides guidelines for troubleshooting Client VPN issues when all devices are unable to connect. It outlines steps such as verifying MX availability, ensuring the correct MX IP address is specified, using Dynamic DNS, addressing upstream NAT/firewall issues, resolving authentication problems, correcting shared secret mismatches, and confirming the proper encryption method.

This article provides troubleshooting steps for issues where no client VPN users can connect. If some users can connect, please check Unable to Connect to Client VPN from Some Devices.

MX Availability 

Verify that your MX is online and accessible over the internet.

  1. In the Meraki Dashboard, navigate to Security & SD-WAN > Monitor > Appliance status
  2. Click on the Tools tab at the top of the Appliance status page
  3. Click the Ping appliance button
  4. Confirm that the MX successfully returns a ping

Incorrect MX IP Address Is Specified 

Verify that the client VPN is configured to connect to the MX using the correct IP address. The MX IP address is located in the Meraki Dashboard on the Security & SD-WAN > Monitor > Appliance status page.

When using two uplink connections, the MX IP address might change when the uplink fails over from primary to secondary. VPN connections configured to use the primary MX IP address would no longer work.

Use Dynamic DNS (DDNS)

Consider enabling Dynamic DNS and using the hostname (e.g. ".com") rather than the MX IP address for connecting to the VPN. The MX hostname is located in the Meraki Dashboard on the Security & SD-WAN > Monitor > Appliance status page.

Upstream NAT/Firewall Issue on the MX 

If your MX is behind a NAT device (for example, an upstream router or ISP modem), the MX uplink IP might have a private IP in the 172.16.X.X or 192.168.X.X or 10.X.X.X subnet range. Ensure UDP traffic on ports 500 and 4500 is being forwarded to the private uplink IP address of the MX.

Verify there are no firewalls blocking UDP traffic on ports 500 or 4500.

Take a packet capture on the WAN interface of the MX and confirm that traffic from the public IP of the VPN client and UDP port 500 and 4500 traffic is reaching the MX. See Troubleshooting Client VPN with Packet Captures for more information.

Authentication Issue 

If receiving authentication errors:

  • Verify that the connection is configured with the correct username, password, and shared secret
  • Try a different authentication method, such as Meraki Cloud Authentication, RADIUS, or Active Directory

Shared Secret Mismatch 

VPNs require the shared secret to match on the VPN server and client before tunnels can be established. To view the shared secret:

  1. In the Meraki Dashboard, navigate to Security & SD-WAN > Configure > Client VPN
  2. On the IPSec Settings tab, scroll down to Shared secret
  3. Click Show secret
  4. Confirm this is the secret, or pre-shared key, used in the client configuration

Try changing the shared secret if the issue persists. As a best practice, the shared secret should not contain any special characters at the beginning or end.

Encryption Method 

Client VPN uses the L2TP/IP protocol, with 3DES encryption and SHA1 hashing.

  • Was this article helpful?