Meraki

Community

AnyConnect VPN connection concerns

JessIT1
Building a reputation
yesterday
yesterday

AnyConnect VPN connection concerns

Seeing some AnyConnect VPN rogue IP’s trying to connect this evening, not sure if they are actually making a connection into our firewall..?

 

example of log:

 

Dec 1 20:22:05 AnyConnect VPN AnyConnect VPN connection event msg: Local-IP[OUR MX95 WAN IP] Local-Port[443] Prot[TCP] Peer-IP[71.239.88.253] Peer-Port[51727] Conn-ID[9] TLSv1.2 connection established. Cipher: ECDHE-RSA-AES256-GCM-SHA384(49200)

 

Not seeing any actual AnyConnect VPN client connected that are suspicious, just these random TLSv1.2 attempts.

 

We have AnyConnect VPN enabled using SAML with DUO 2-factor setup for VPN allowed users.

 

thanks

 

0 Kudos
3 Replies 3
Brash
Kind of a big deal
Kind of a big deal
yesterday
yesterday

I'm not sure but my suggestion is to perform a test connection from a client device to the MX but failing authentication. Then check the MX logs and see if you see a similar event logged or not.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

This is a "normal" HTTPS scan you are seeing.  It could be an attacker.  It could be a search engine.  It could even be Shodan.

https://www.shodan.io/

 

0 Kudos
In response to PhilipDAth
JessIT1
Building a reputation
3 hours ago
3 hours ago

Thank you for the feedback. My concern is if it’s an attacker, do these logs confirm the connection into our network was successful?  We also have IDS advanced security with Meraki.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.