[TSHOOT] Troubleshot Client VPN in Cisco Meraki MX Security Appliances

Hello @RedaMalaga.
I am glad that the video helped you!. Let me know if you need any additional help.

If you are unable to connect to VPN, you should be taking packet capture on the internet interface of the MX.

Hello @Elijah,
If the client VPN is not connecting, you should take pcaps in the internet interface to ensure the traffic from your client is reaching the MX. If it does, you can take a look at the video to understand the traffic flow and how to troubleshoot.
If the Client VPN is connected and your issue is accessing local resources, you should take pcaps in the Client VPN and the LAN interfaces to ensure the client is sending the traffic through the VPN tunnel and the MX is forwarding that traffic to the LAN.

He means he was already inside the LAN and was getting IP from the same DHCP and if you need to access office LAN from home you need WAN IP

Hello @Tim,
For the VPN clients talk to the internal networks, you do not need to make any changes in the MX. They would behave like another subnet inside the network. Unless you have a firewall rule in the MX or any Layer 3 devices blocking that traffic or the host you are trying to access has a firewall enabled blocking unknown traffic, all the subnets should be able to talk to each other.
To ensure the traffic is passing from your client VPN to the internal host, you can take packet captures in the LAN interface of the MX and filter the traffic for both IP addresses. If you see the traffic going out the MX, it means that something in the LAN or the host is blocking the reply.
If you take pcaps in the VPN and the LAN interface and you do not see the traffic, it means that the client VPN is not even sending the packets through the VPN tunnel.
To ensure you have reachability to the internal resources of your MX, I would recommend you to troubleshot using pings if the device supports it.

@@TheITWay thanks for the advice... but... something just not right...i've done packet captures on the internet, LAN & Client VPN interfaces on the MX and still the same. I can ping google.com and that gets a reply through the VPN, but I cannot ping anything internal. When on the internal network (not via the VPN), I can ping stuff all day and get a reply.
I'm using a Single LAN as the LAN configuration (192.168.1.1/24 w/ the MX at .250.) No static routes. Firewall: Layer 3 are the meraki defaults: Allow any for outbound rules, ICMP ping - allow any remote IPs. Layer 7 rules are denied for all P2P, Gaming & Advertising. No port forwarding, 1:1 or 1:Many NAT.
Client VPN is set up and I can see where an appropriate dhcp'd client vpn address is given (192.168.10.x) in the event log. Meraki cloud authentication is being used. Only default traffic shaping rules in effect.
I don't see the client vpn address in the LAN interface. (I'm guessing I should, right?)
In the client VPN.pcap, there are DNS queries between the client VPN & openDNS (208.67.222.222) when pinging google.com.
The Internet.pcap doesn't seem to tell me anything as I don't seen any IP addresses (client vpn or the external aircard through which I'm connected. (I've reset the 'internal' address of the aircard to be 172.16.x.x to avoid NAT conflicts already).
I'm stuck. While the VPN traffic does all route through the MX, which is fine, I need to be able to reach stuff on the inside of my network.
Any suggestions?

@@mangoman692 How did you end up solving the issue with the VPN connecting to the internal network (e.g accessing the printer). Thanks

@@darcyhellier8519 I never was able to get it sorted out.