Meraki L2TP VPN doesn't work after joining computer to domain

Sort of losing my mind here. We have 3 computers that the VPN refuses to work with after they are joined to the domain. All different users, all different model computers, I already uninstalled as many windows updates from the past 3 months, this only started happening maybe a week ago.

It does throw an 811 error indicated a shared key mismatch, but I know for a fact it’s not that.

I am going to perform a firmware upgrade on the MX tonight. Does anyone have any thoughts?

EDIT:

Solved the problem, it was a granular GPO that caused the issue. Removed it and works now.

There were windows updates recently, I don’t remember which update it was but you could definitely find it on Google, that were wreaking havoc on LT2TP VPN connections. It wasn’t throwing out the error message that you’re getting but still might be something to look into.

make sure your not hitting the windows update issue and I would look at the AnyConnect Client.

Are you using CMAK to deploy VPNs? Regardless, the issue might not be limited to those, try this.

After you join to the domain, try connecting to the VPN but elevate the connection process. For example, create a shortcut to the VPN connection if you don’t have one and right click and run as Administrator. You can probably also initiate the VPN connection from an elevated CMD or PowerShell prompt.

One thing we’ve run into is client devices automatically switching from PAP to MSCHAPv2

If you recreate the vpn connection manually after joining to the domain, is it still the same?

Error message would help. This should do the trick.

Windows 10: wusa /uninstall /kb:5009543
Windows 11: wusa /uninstall /kb:5009566

Doesn’t appear to be windows updates as not all our computers are affected, even those within the same band. It also didn’t work through the Draytek client, not sure if it’s a client issue or not.

I am not using CMAK, and the elevated process results in the same return. We have relatively few VPN users, so I confirmed with the rest of them that their VPN was functional and that is backed up via the client monitor within the dashboard.

Are the machines that aren’t affected in a separate forest or OU?

They are not, they are all in different groups, with other computers that work fine.

I reformatted one just now, and the VPN works fine on initial setup. The computer was then added to the domain and an AD user logged in and now the VPN does not function at all. Completely at a loss here.

if you log in as. say, local admin account on the machine (not a domain account) after it’s been joined to the domain does the vpn work under that account?

Initially before it is added to the domain the local admin works fine. After its added to the domain, no, the local admin VPN does not function.

Do you see anything in the logs? You’ve not posted anything yet.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/troubleshoot-anyconnect.html

I actually got it working. It was GPO.