Meraki

Community

AnyConnect RDP Only p

Charlie_C
Comes here often
‎May 5 2023 9:18 AM
‎May 5 2023 9:18 AM

AnyConnect RDP Only p

Hi, I'm very new to meraki so apologies if I've missed something obvious here.

 

I've setup Anyconnect VPN and it works exactly as expected.

 

I then want to create a profile to limit what certain users get once connected.

 

my starting point is to create a profile with just RDP allowed.

 

When i connect the client, they get the default profile applied which works, i then swap them to the RDP only profile and wait around 5 mins, at which point that also works, they can only RDP. no ping, no browsing - exactly as expected.

 

However after a random amount of time (up to an hour) the client goes "offline" from the meraki (no green icon) but the client still says "connected". At this point nothing at all works. but he can happily disconnect and reconnect. but nothing works. If i swap him back to the default profile after a few minutes he goes green again in the meraki and things work again. I then start the process again, move him to RDP only, it works after 5 mins or so, he RDPs to a machine, works away then drops, he goes to no green icon and cant do anything again.

 

Is there some missing secret communication between the VPN client and the meraki that i'm missing which i'm blocking once i apply RDP only to him?

 

Any help at all would be appreciated as i cant find any documentation stating that i need anything to allow the clients to talk to the meraki.

0 Kudos
5 Replies 5
Jonathan-S
Meraki Employee
Meraki Employee
‎May 5 2023 3:19 PM
‎May 5 2023 3:19 PM

Hi Charlie_C,

 

I think it would probably make most sense to reach out to our Meraki Support team in order to assist with this configuration and any possible troubleshooting that may be done here. If you haven't engaged our Meraki Support team before you can navigate to Help > Get help from the upper-right-hand corner of your Meraki Dashboard portal, followed by clicking on the "Still need help?" link, and choosing either to submit an email case or to call the Meraki Support team.

 

Thanks!

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
In response to Jonathan-S
Charlie_C
Comes here often
‎May 11 2023 1:52 AM
‎May 11 2023 1:52 AM

thanks for the reply - i'd already reached out to support and didnt get very far. I've been waiting weeks for a response.

Apparently there is a bug in the software that causes strange behaviour if you set the "default" profile for AnyConnect to anything other than "no group policy"

I've had an update from engineering to say its fixed but i'm still seeing random results and random firewall settings applied to my VPN clients. I'm yet to test swapping the default profile back to being RDP only as it broke all remote access last time.

0 Kudos
Jonathan-S
Meraki Employee
Meraki Employee
‎May 16 2023 9:57 AM
‎May 16 2023 9:57 AM

Hi Charlie_C,

 

I was able to do some testing with a similar configuration and found an interesting discovery. When initially creating a restrictive "RDP-only" Group Policy within the Meraki Dashboard, I too was having issues with RDP disconnects within minutes of the connection being established.

 

After further investigation, it appeared that the AnyConnect tunnel was still in tact and didn't seem to have been affected (confirmed from the AnyConnect end-client stats as well as performing auxiliary ICMP tests over the tunnel to the destination subnet).

 

After doing some Googling, I stumbled upon the following Reddit thread where a user was running into the same issue using an OpenVPN client and a poster responded with suggesting to disable UDP 3389 communication and once I modified my "RDP-only" Group Policy within Dashboard to only allow TCP 3389, the issues appear to have gone away (successfully tested over a three-hour period without any RDP disconnects). It seems as if the Microsoft UDP 3389 RDP bug might be more susceptible over client VPN connections? The poster on the Reddit thread did suggest disabling this through GPO but in my case, simply denying this traffic through the Group Policy in Dashboard seemed to do the trick.

 

Reddit Thread: https://www.reddit.com/r/sysadmin/comments/e2bhn1/rdp_disconnects_every_5min1hour_over_vpn/

 

Also, here is what my resulting test Group Policy looks like:

 

Screenshot 2023-05-16 at 11.51.35 AM.png

 

The AnyConnect configuration is set up as split-tunnel, with only the RDP subnet (...30.0/24) as an included route.

 

I am also thinking that this explains why we saw the AnyConnect client as show up as grey/inactive after a little while since given the highly specific nature of the AnyConnect connection (split-tunnel + only rules allowing RDP, which stopped working) the MX was marking the clients as offline as a result of not seeing any traffic pass through for several minutes. I'll post a blurb from our "Clients Usage Page Overview" KB below:

 

"Clients appearing on the Clients usage page will display their current status to indicate if they are currently active, as seen below in Figure 1. The activity threshold for a client is one minute. If a client does not pass traffic for longer than one minute, then the client will no longer be considered active. The status icon for an inactive client will appear grey."

 

 

I hope that this helps a bit!

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
In response to Jonathan-S
Charlie_C
Comes here often
‎May 19 2023 7:03 AM
‎May 19 2023 7:03 AM

Thanks again for your detailed reply. My 'RDP only' policy was TCP only (literally TCP on 3389 and deny everything else).

I'd be interested to know what happens to your setup when you apply the policy you created as the default here (in the client VPN settings)

Charlie_C_0-1684504694579.png

when i changed it there (so that all new connections have the 'RDP only' by default) I never see another new client come online. the client object is never created. Even though the VPN is connected from the client side.

0 Kudos
In response to Charlie_C
Jonathan-S
Meraki Employee
Meraki Employee
‎May 19 2023 2:53 PM
‎May 19 2023 2:53 PM

Hi Charlie_C,

 

My apologies for not including those details. I was in fact leveraging the "Default Group Policy" feature/functionality during my testing. I'll post a screenshot of my AnyConnect test configuration below:

 

Screenshot 2023-05-19 at 4.48.23 PM.png

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.