Unable to Connect to Client VPN from Some Devices
This article is for troubleshooting issues where some client VPN users are unable to connect. If no users can connect, see All Client VPN Users Unable to Connect.
Windows Users
Windows Update
Performing a Windows update might affect VPN or network adapter configurations. If the VPN connection stops working an update, take a packet capture to verify bidirectional traffic is occurring between the VPN client and MX. See Troubleshooting Client VPN with Packet Captures for more information.
If bidirectional traffic is occurring and the VPN connection continues to fail, review the VPN configuration settings. See Client VPN OS Configuration for more information.
Sentry VPN helps admins configure and deploy client VPN profiles directly to Systems Manager-enrolled devices across platforms. Enrolled devices can then connect to VPN without additional end user configuration. See Systems Manager Sentry Overview for more information.
Common Windows Errors
If a client VPN connection is failing to establish from a Windows device, but no error message appears on the screen, use the Windows Event Viewer to find an error code associated with the failed connection attempt:
- On the affected device, press the Windows key and type Event Viewer
- From the search results, click on Event Viewer
- In Event Viewer, navigate to Windows Logs > Application
- Search the Error events for the connection failure
- Click the event to review the associated error code and details
Some common errors are listed below. See List of error codes for dial-up connections or VPN connections in Microsoft Documentation for a complete list.
Windows Error 628 and Windows Error 789
Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer
Ensure that the proper protocols are selected under Authentication options in the VPN properties
Control Panel > Network and Sharing Center > Change adapter settings
1. Right click the desired VPN connection and select properties
2. Select the security tab
3. Ensure Unencrypted password (PAP) is selected under allow these protocols  
Meraki Event Log
Example event log entries. See Meraki Event Log for more information:
Jul 2 13:53:20 VPN msg: invalid DH group 19. Jul 2 13:53:20 VPN msg: invalid DH group 20.
This issue might not appear in the event log if the client traffic does not successfully reach the MX WAN interface.
Possible Causes and Solutions
Misconfigured VPN settings
Attempt to completely delete and reconfigure the VPN settings from scratch following the Client VPN OS Configuration KB. Windows devices are known to alter the settings without any user intervention.
Incorrect secret key (pre-shared key)
Ensure that the shared secret is configured correctly on the client machine. It must match between the MX and the client. For more information about setting the shared secret, see Client VPN OS Configuration.
Firewall blocking VPN traffic to MX
Ensure UDP ports 500 (IKE) and 4500 (IPsec NAT-T) are being forwarded to the MX and not blocked. If traffic cannot reach the MX on these ports, the connection will time out and fail.
IKE and AuthIP IPsec keying modules disabled
This might occur if third-party VPN software has been installed and disables the IKEEXT service. To reenable the service:
- On the affected device, press the Windows key and type Control Panel
- From the search results, click on Control Panel
- Navigate to Administrative Tools > Services
- Find the service named "IKE and AuthIP IPsec Keying Modules" and double-click to open
- Select Automatic from the Startup type drop-down menu
If the service automatically reverts to Disabled, or fails to start, remove the third-party VPN software.
Windows Error 691
Error 691: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server
Meraki Event Log
Example event log entries. See Meraki Event Log for more information:
Jul 2 14:00:40 VPN msg: not matched Jul 2 14:00:40 VPN msg: ISAKMP-SA established 82.35.46.78[4500]-174.45.35.220[4500] spi:b74e92b3b5360c16:ce602504804696a9
Possible Causes and Solutions
Invalid user credentials
Confirm user credentials are correct.
- When using Meraki authentication, usernames should be in email format (ex. user@example.com)
- When using AD or RADIUS authentication, be sure to enter the username in a format that will be recognized by the server, including the domain if needed (ex. DOMAIN\user)
User not authorized
If using Meraki authentication, ensure that the user has been authorized to connect to the VPN. See Client VPN Overview for more information.
No certificate on AD server
If using Active Directory authentication with Client VPN, make sure the AD server has a valid certificate for TLS. See Configuring Active Directory with MX Security Appliances and Certificate Requirements for TLS for more information.
Incorrect DNS name resolution from the MX's upstream DNS server
- If the MX is configured with an ISP DNS server, change this to a non-ISP public DNS server such as Google 8.8.8.8 
    
- A mismatch of pre-shared keys between a RADIUS server and MX might result in bad encryption of the password
    - Change the pre-shared key in the Meraki Dashboard and the RADIUS client on the server
- If this resolves the error, verify the secret used is correct on both devices
- Use a less complex password if necessary
 
Windows Error 720
Error 720: A connection to the remote computer could not be established. You might need to change the network settings for this connection.
Possible Causes and Solutions
Client VPN Subnet IP Pool is Empty
Confirm by searching the Meraki Dashboard Event Log for the event type VPN client address pool empty. See Meraki Event Log for more information.
To resolve, configure a larger subnet size for client VPN users. Note that one IP in the subnet is reserved for the MX security appliance, so a /24 subnet which provides 254 usable IP addresses will allow for 253 VPN clients to connect, assuming the MX model supports that many concurrent users. See the MX Sizing Principles guide for exact numbers.
WAN Miniport is Corrupted
Reinstall WAN Miniport devices:
- On the affected device, press the Windows key and type Device Manager
- From the search results, click on Device Manager
- Expand the Network Adapters group
- Right-click all the network adapters beginning with WAN Miniport and then select Uninstall device
- From the menu, select Action > Scan for hardware changes to reinstall the WAN Miniport devices
For more information, see "Error 720: Can't connect to a VPN Connection" when you try to establish a VPN connection in Microsoft Documentation.
SmartByte application
VPN connections might encounter issues on Windows devices with the SmartByte application. If it is installed, try uninstalling it and reinitiating your VPN connection.
Error :The connection was terminated by the remote computer before it could be completed
Possible Causes and Solutions
The allowed protocols under the security tab are not set to unencrypted password (PAP) only
if you see this error please follow the steps below to correct the allowed protocol to be unencrypted password (PAP) only.
- Choose the VPN connection and then right-click to navigate to properties > select Advanced options > Adapter Settings. Note: Alternatively, run ncpa.cpl directly from Search or Command prompt to quickly access your VPN adapters.
- In the Security tab, select Require encryption (disconnect if sever declines) under Data encryption.
- Under Authentication select Allow these protocols and select Unencrypted password (PAP).
- Verify that no other protocols are selected.
- press ok.


