General troubleshooting steps for issues where no client VPN users can connect. If some users can connect, see Some Client VPN Users Unable to Connect.
Verify that your MX is online and accessible over the internet.
- In the Meraki Dashboard, navigate to Security & SD-WAN > Appliance status
- Click on the Tools tab at the top of the Appliance status page
- Click the Ping appliance button
- Confirm that the MX successfully returns a ping
Incorrect MX IP Address Is Specified
Verify that the client VPN is configured to connect to the MX using the correct IP address. The MX IP address is located in the Meraki Dashboard on the Security & SD-WAN > Appliance status page.
When using two uplink connections, the MX IP address might change when the uplink fails over from primary to secondary. VPN connections configured to use the primary MX IP address would no longer work.
Use Dynamic DNS (DDNS)
Consider enabling Dynamic DNS and using the hostname (e.g. ".com") rather than the MX IP address for connecting to the VPN. The MX hostname is located in the Meraki Dashboard on the Security & SD-WAN > Appliance status page.
Upstream NAT/Firewall Issue on the MX
If your MX is behind a NAT device (for example, an upstream router or ISP modem), the MX uplink IP might have a private IP in the 172.16.X.X or 192.168.X.X or 10.X.X.X subnet range. Ensure UDP traffic on ports 500 and 4500 is being forwarded to the private uplink IP address of the MX.
Verify there are no firewalls blocking UDP traffic on ports 500 or 4500.
Take a packet capture on the WAN interface of the MX and confirm that traffic from the public IP of the VPN client and UDP port 500 and 4500 traffic is reaching the MX. See Troubleshooting Client VPN with Packet Captures for more information.
If receiving authentication errors:
- Verify that the connection is configured with the correct username, password, and shared secret
- Try a different authentication method, such as Meraki Cloud Authentication, RADIUS, or Active Directory
Shared Secret Mismatch
VPNs require the shared secret to match on the VPN server and client before tunnels can be established. To view the shared secret:
- In the Meraki Dashboard, navigate to Security & SD-WAN > Client VPN
- On the IPSec Settings tab, scroll down to Shared secret
- Click Show secret
- Confirm this is the secret, or pre-shared key, used in the client configuration
Try changing the shared secret if the issue persists. As a best practice, the shared secret should not contain any special characters at the beginning or end.
Client VPN uses the L2TP/IP protocol, with 3DES encryption and SHA1 hashing.