Meraki

Community

AnyConnect VPN connection concerns

Solved
JessIT1
Building a reputation
a week ago
a week ago

AnyConnect VPN connection concerns

Seeing some AnyConnect VPN rogue IP’s trying to connect this evening, not sure if they are actually making a connection into our firewall..?

 

example of log:

 

Dec 1 20:22:05 AnyConnect VPN AnyConnect VPN connection event msg: Local-IP[OUR MX95 WAN IP] Local-Port[443] Prot[TCP] Peer-IP[71.239.88.253] Peer-Port[51727] Conn-ID[9] TLSv1.2 connection established. Cipher: ECDHE-RSA-AES256-GCM-SHA384(49200)

 

Not seeing any actual AnyConnect VPN client connected that are suspicious, just these random TLSv1.2 attempts.

 

We have AnyConnect VPN enabled using SAML with DUO 2-factor setup for VPN allowed users.

 

thanks

 

0 Kudos
1 Accepted Solution
JessIT1
Building a reputation
a week ago
a week ago

Update from Meraki support

 

Your concern is valid, and the situation calls for a clear understanding of how to interpret and handle these logs. If you're seeing an "AnyConnect VPN connection established" log entry for a known malicious IP, it can indeed be alarming, even if no credentials were used or access was gained. The "connection established" log might only indicate that the malicious actor initiated a VPN handshake, not that they successfully authenticated. The actor would need valid credentials (username and password or certificate) to fully establish a session and access resources. Also some systems log the handshake as "established" regardless of authentication success. If this IP is flagged for malicious activities like HTTP scanning and SSH brute force, it suggests automated probing or attacks. The IP scanning your public-facing WAN is attempting to connect via AnyConnect but may not have succeeded beyond the initial handshake. So meaning A "connection established" log entry typically indicates that a TCP or UDP handshake occurred. This doesn't necessarily mean a user authenticated or gained access to sensitive resources—it might simply mean that a connection attempt was technically successful. False positives can occur in systems that have broad detection rules or rely on incomplete data to flag activities.

For example:

  • IDS/IPS or firewall logs might show traffic that matches suspicious patterns but isn't actually malicious.
  • An endpoint or system might flag a benign but unusual behavior as rogue.

View solution in original post

6 Replies 6
Brash
Kind of a big deal
Kind of a big deal
a week ago
a week ago

I'm not sure but my suggestion is to perform a test connection from a client device to the MX but failing authentication. Then check the MX logs and see if you see a similar event logged or not.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

This is a "normal" HTTPS scan you are seeing.  It could be an attacker.  It could be a search engine.  It could even be Shodan.

https://www.shodan.io/

 

In response to PhilipDAth
JessIT1
Building a reputation
a week ago
a week ago

Thank you for the feedback. My concern is if it’s an attacker, do these logs confirm the connection into our network was successful?  We also have IDS advanced security with Meraki.

0 Kudos
In response to JessIT1
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

It does not mean there has been a successful connection to your network.

0 Kudos
In response to PhilipDAth
JessIT1
Building a reputation
a week ago
a week ago

ok, so basically someone physically or a scanning engine/service is pegging our public facing WAN IP with port 443, some how establishes a TLSv1.2 connection with a Cipher: but never gets an internal network VPN IP that are legit users would get when connecting via their AnyConnect VPN agent by using our unique AnyConnect Server URL, authenticating with their email address and password that synchs from our AD accounts in the allowed VPN group of users and then gets the push to their DUO Mobile App to complete the connection.

0 Kudos
JessIT1
Building a reputation
a week ago
a week ago

Update from Meraki support

 

Your concern is valid, and the situation calls for a clear understanding of how to interpret and handle these logs. If you're seeing an "AnyConnect VPN connection established" log entry for a known malicious IP, it can indeed be alarming, even if no credentials were used or access was gained. The "connection established" log might only indicate that the malicious actor initiated a VPN handshake, not that they successfully authenticated. The actor would need valid credentials (username and password or certificate) to fully establish a session and access resources. Also some systems log the handshake as "established" regardless of authentication success. If this IP is flagged for malicious activities like HTTP scanning and SSH brute force, it suggests automated probing or attacks. The IP scanning your public-facing WAN is attempting to connect via AnyConnect but may not have succeeded beyond the initial handshake. So meaning A "connection established" log entry typically indicates that a TCP or UDP handshake occurred. This doesn't necessarily mean a user authenticated or gained access to sensitive resources—it might simply mean that a connection attempt was technically successful. False positives can occur in systems that have broad detection rules or rely on incomplete data to flag activities.

For example:

  • IDS/IPS or firewall logs might show traffic that matches suspicious patterns but isn't actually malicious.
  • An endpoint or system might flag a benign but unusual behavior as rogue.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.