Meraki

Community

AnyConnect VPN Event Log

RWatson626
Conversationalist
Wednesday
Wednesday

AnyConnect VPN Event Log

Hello,

 

Not sure who this connection is. Does this Event log showing an AnyConnect VPN authentication failure indicate that no successful connection was established at the Anyconnect or they were able to connect to Anyconnect and got rejected at the radius? Should I be concerned?


RADIUS[33] Server IP=XXX.XXX.XXX.XXX Server port=XXX Peer IP=XXX.XXX.XXX.XXX Peer port=XXX: Received access-reject.

 

 

 

Event-log-Meraki-Dashboard-03-26-2025_07_26_AM.png

 

 

Thanks 

Ron

 
 
 
 
0 Kudos
7 Replies 7
alemabrahao
Kind of a big deal
Wednesday
Wednesday

The connection was rejected by the Radius server, that is, someone tried to connect but as the credential is probably not valid, it was not possible to establish the connection.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
MaghM
Meraki Employee
Meraki Employee
Wednesday
Wednesday

Hi @RWatson626 

 

For some reason, the RADIUS server is rejecting the authentication request, here is the RADIUS config, feel free to double check the settings. 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
RWatson626
Conversationalist
Wednesday
Wednesday

Thank you for the quick replies. VPN is working correctly my concern is It's an unknown IP making the connection. should I be concerned at all?

 
0 Kudos
In response to RWatson626
alemabrahao
Kind of a big deal
Wednesday
Wednesday

Your main concern should be whether the connection is successful. It is common these days for someone to try to exploit a vulnerability.

But it is a good idea to keep an eye out for any suspicious activity.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to RWatson626
MaghM
Meraki Employee
Meraki Employee
Wednesday
Wednesday

Oh sry I misunderstood the question in the beginning, as well if the log is yet ongoing, feel free to take pcap to confirm the mac address, then block this device from the dashboard using this Documentation 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
In response to RWatson626
michalc
Meraki Employee
Meraki Employee
Wednesday
Wednesday

Hi @RWatson626 ,

 

 

I'd say you should be moderately concerned. If the Peer IP is unknown, from an odd location, or part of multiple failed attempts, it’s worth investigating further as a potential security incident. I'd recommend to:

  • Block the IP: As a precaution, block the unknown Peer IP in your Meraki firewall or VPN settings. It’s low-effort and prevents further attempts from that source.
  • Monitor Logs: Watch for more unexpected IPs or failed logins over the next day or two. Patterns matter more than a single event.

 

Is it possible that one of your users mistyped their credentials, their account is locked, or their access has expired and they were logging in from a custom location?

If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
GreenMan
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
Wednesday
Wednesday

Maybe have a word with your ISP, see if they can advise more on the source - and possibly block it at their end?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.