Meraki

Community

AnyConnect VPN connection concerns

JessIT1
Building a reputation
yesterday
yesterday

AnyConnect VPN connection concerns

Seeing some AnyConnect VPN rogue IP’s trying to connect this evening, not sure if they are actually making a connection into our firewall..?

 

example of log:

 

Dec 1 20:22:05 AnyConnect VPN AnyConnect VPN connection event msg: Local-IP[OUR MX95 WAN IP] Local-Port[443] Prot[TCP] Peer-IP[71.239.88.253] Peer-Port[51727] Conn-ID[9] TLSv1.2 connection established. Cipher: ECDHE-RSA-AES256-GCM-SHA384(49200)

 

Not seeing any actual AnyConnect VPN client connected that are suspicious, just these random TLSv1.2 attempts.

 

We have AnyConnect VPN enabled using SAML with DUO 2-factor setup for VPN allowed users.

 

thanks

 

0 Kudos
5 Replies 5
Brash
Kind of a big deal
Kind of a big deal
yesterday
yesterday

I'm not sure but my suggestion is to perform a test connection from a client device to the MX but failing authentication. Then check the MX logs and see if you see a similar event logged or not.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

This is a "normal" HTTPS scan you are seeing.  It could be an attacker.  It could be a search engine.  It could even be Shodan.

https://www.shodan.io/

 

0 Kudos
In response to PhilipDAth
JessIT1
Building a reputation
12 hours ago
12 hours ago

Thank you for the feedback. My concern is if it’s an attacker, do these logs confirm the connection into our network was successful?  We also have IDS advanced security with Meraki.

0 Kudos
In response to JessIT1
PhilipDAth
Kind of a big deal
Kind of a big deal
4 hours ago
4 hours ago

It does not mean there has been a successful connection to your network.

0 Kudos
In response to PhilipDAth
JessIT1
Building a reputation
2 hours ago
2 hours ago

ok, so basically someone physically or a scanning engine/service is pegging our public facing WAN IP with port 443, some how establishes a TLSv1.2 connection with a Cipher: but never gets an internal network VPN IP that are legit users would get when connecting via their AnyConnect VPN agent by using our unique AnyConnect Server URL, authenticating with their email address and password that synchs from our AD accounts in the allowed VPN group of users and then gets the push to their DUO Mobile App to complete the connection.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.