AnyConnect VPN connection concerns

JessIT1
Building a reputation

AnyConnect VPN connection concerns

Seeing some AnyConnect VPN rogue IP’s trying to connect this evening, not sure if they are actually making a connection into our firewall..?

 

example of log:

 

Dec 1 20:22:05 AnyConnect VPN AnyConnect VPN connection event msg: Local-IP[OUR MX95 WAN IP] Local-Port[443] Prot[TCP] Peer-IP[71.239.88.253] Peer-Port[51727] Conn-ID[9] TLSv1.2 connection established. Cipher: ECDHE-RSA-AES256-GCM-SHA384(49200)

 

Not seeing any actual AnyConnect VPN client connected that are suspicious, just these random TLSv1.2 attempts.

 

We have AnyConnect VPN enabled using SAML with DUO 2-factor setup for VPN allowed users.

 

thanks

 

3 Replies 3
Brash
Kind of a big deal
Kind of a big deal

I'm not sure but my suggestion is to perform a test connection from a client device to the MX but failing authentication. Then check the MX logs and see if you see a similar event logged or not.

PhilipDAth
Kind of a big deal
Kind of a big deal

This is a "normal" HTTPS scan you are seeing.  It could be an attacker.  It could be a search engine.  It could even be Shodan.

https://www.shodan.io/

 

JessIT1
Building a reputation

Thank you for the feedback. My concern is if it’s an attacker, do these logs confirm the connection into our network was successful?  We also have IDS advanced security with Meraki.

Get notified when there are additional replies to this discussion.