@Bsalami Is there any news on the MX client? Everyone working from home and we want to force the corp/vpn connection. I had to develop a powershell script to auto vpn users.
No update from my Meraki rep. Utterly ridiculous that it has taken this long, assuming they are doing anything. At this point, I am looking at moving as much as possible to the cloud to not only eliminate the need for VPN but to be able to completely ditch the 20 Meraki devices once my 3 years is up in 2021.
I am not a big fan of open source, especially with security stuff. I did try this vpn client from draytek and was able to connect just fine. Connection seemed to be stable for the 4-6 hours I used it. Also not thrilled with the connection saying "Connected to Vigor" - that sounds a little scary to users. Maybe it is completely safe and there is a way to change the connection info? I just don't have the time to spend on it.
Hope everyone is doing well. We will be starting a new round of BETA testing soon. I will update this thread with details. I know the anticipation is real, just know that we can't wait to get BETA started! More details to come.
This post was sent over my AnyConnect session on an MX100. So the MX100 and MX84 will support AnyConnect. We got you too!.
The MX84 and MX100 use Intel CPU's where the smaller MX firewalls use ARM cores. Does this mean Anyconnect isn't supported on the ARM CPU devices?
@Bsalami Is there anything being discussed about Anyconnect for vMX? We bought the license but we are avoiding using it as SSLVpn isn't supported.
This post was sent over my AnyConnect session on an MX100. So the MX100 and MX84 will support AnyConnect. We got you too!.
This is good news. I'd be happy with an MX84 replacement but will be glad to use AnyConnect on my existing device. Should we contact our rep if we want to be included with this next beta phase?
is there any plans to support AnyConnect also in vMX100 models? I think support is important since many customers have no services onPrem, but instead all services are located in "private cloud" inside public cloud like Azure.
Some Meraki customers which I know, needed to learn/deploy vASA to enable AnyConnect SSL VPN for employees with Azure AD authentication (2MFA enabled).
We had an "exklusive" look at it 2 weeks back, since one of our customers desperately wanted to see it.
Also got the info, if you're a Meraki customer already, you can ask you sales rep to be included into the beta. Not a 100% chance you getting into it though. Probably better chances if you have full stack and lots of Meraki stuff (and obv. a MX).
We keep hearing next FY for the open beta. (Which would be starting August)
My recommendation to everyone is to find a different VPN solution. Meraki is just stringing everyone along and trying to get them to upgrade to more expensive equipment. The "beta" story hasn't changed in 8 months, and the "release date" keeps getting pushed back. Let's face it, Meraki (Cisco) already has the AnyConnect client in production and has for years. If it was important to them they would have put their top engineers on the issue, and modified the existing AnyConnect client to work with Meraki and specifically the MX models. Would have taken a month at the most. Hell, the native Apple/MAC client works and connects, MS Win10 client works (when it wants to) and the DrayTek VPN client I mentioned in an earlier post seems to work. Even if they decided to start from scratch, this issue should have been resolved 6 months ago.
We would definitely be interested in it, as I'm currently using an ISR to service AnyConnect clients and landing them on the MX84 would be a heck of a lot better.
except i need to force my users to use vpn. they will not do it if we tell them to. only way i have had any luck is with a powershell script. even then its buggy. any ideas on how to force the vpn connection?
I have also had better luck with the Powershell script to add the VPN for Windows 10 clients but still run into the occasional computer that drops settings. It'd be nice to use AnyConnect, even nicer if I can transfer my perpetual AnyConnect licenses from my ASAs to new MXs.
🤣@AnythingHosted You made my Friday with that, I might work for a gambling company but I dont think that we'd give odds on there not being a charge. I could be pleasantly surprised though 🤞
Haha, yeah I don't see them giving this away for free. It's obviously incredibly amazing software since it's taken years to develop.
@Bsalami Curious since this is still a unicorn right about now: what kind of MFA support should we be expecting once the AnyConnect client is released?
Or anyone who might be evaluating the beta AnyConnect client on a MX, would you care to share how you can handle MFA for Client VPN access? After all, Duo Security was acquired by Cisco. Just like Meraki.......................................
It would be amazing if we could get some decent updates around here. I already complained to my Meraki rep about the serious lack of communication from Meraki to the masses. In comparison, it almost makes the White House look like masters in public relations in the last 6 months over anything that is COVID19 related......
@lmorel I would be willing to bet that they will allow us to point to a radius server for external auth. If that the case then you can use a Duo Authentication Proxy or Network Policy Server (NPS) extension for Azure MFA. I have been using Duo with the current Client VPN and it has been working just fine.
On a Meraki Partner update today, the Anyconnect VPN was brought up several times. We were told that when version 15 of MX's software is GA released that v16 will be made into a beta and v16 has the AnyConnect support.
I took this as a slight cop-out. Hasn't v15 been in beta for over 2 years?
I don't think there has been a stable release candidate for v15 either!?! I was under the impressions that the different stages were derived by the number of "stable" beta installs without reported issues?
Seriously, V15 has been in beta a long time. So how many years until V16 comes out in GA? It's baffling that a Meraki rep mentioned this was on their "short list" 5 years ago, and yet we still have years to wait. It's not even new software, why is this so hard to make happen??? I have so many issues with site-to-site with 3rd party firewalls that I have to keep a separate firewall online to handle those in some cases. Can't they at least make client connections easy?
"ciscomerakiCisco Meraki 6 points 5 years ago
I actually wrote the KB article you linked to. I wouldn't say that we don't put any development resources into client VPN. It would be more accurate to say that we don't devote resources to working on the EXISTING LwTP/IPsec Client VPN implementation because we want to remove it entirely in favor of SSL VPN/AnyConnect support. I don't have an ETA on this unfortunately, but it's on the short list of features to work on once we get through our current IWAN feature release later this calendar year."
@MikaVuokko a bit of topic for this threat but Meraki just announced a rebranding on VMX100 which is going to be called medium. LIC-VMX-M and the duration for this after they update global price list. The reason for this being that they´ll introduce small and large versions for the VMX family later on this year.
Will MX64 & MX65 also support AnyConnect VPN? Meraki has a current Remote Worker promotion on the entire MX family. Not much of a remote worker/VPN solution when/if the MX64 doesn't support AnyConnect when the firmware finally (if Meraki ever get their act together) goes GA is it? If it was never intended to be available for certain MX models then Meraki should have mentioned so on spec sheets and/or roadmaps so partners would have known to not be selling MX64 or MX65 with the expectation it would support AnyConnect at some point.
@Cohort_Networks isn't that promotion focussing on hardware clients for remote workers, i.e. z3 and small MXs or am I misunderstanding?
@cmr No, the Remote Worker incentive/promotion applies to the entire MX family promoting it as a remote worker solution which would obviously include client VPN on the MX64 for a small office. Not much of a remote worker solution for end-customers wanting reliable client VPN option using AnyConnect on an MX64 device that hasn't even reached end-of-sale yet because Meraki isn't giving any clarity on what MX devices will support AnyConnect when/if the firmware ever goes GA. If the intent was never to support the MX64 which has yet to reach end-of-sale then they should have been upfront on that rather important detail.
It's frustrating that Meraki can't communicate effectively on this topic especially since they have put the word out there AnyConnect is coming. That said, if it was never intended for the MX64 they should have said so so we didn't sell the devices with the expectation AnyConnect support would be coming.
@Cohort_Networks I agree that some clarity of a product already in closed beta would be good. It seems that MX84 and above will support AnyConnect at some point (MX16?) but if the MX6x devices will not be included, that would be better to state now, not wait until it comes out as a footnote of a product release.
FYI: My understanding is MX67/68 are supporting AnyConnect on the Closed Beta (unless that has changed without my knowledge) but why not the MX64 without any indication either way when the firmware goes GA from Cisco Meraki.
Honestly, I'm starting to muse that Meraki Community staff are perfectly happy to let important questions go unanswered. Nobody from Meraki appears to rush to answer anything in any sort of useful detail on this and/or many other fronts. All it takes is someone to say "MX64 is not currently supported on the AnyConnect beta but will be supported when support goes GA" OR "MX64 is not currently supported on the AnyConnect beta and will not be supported when support goes GA". iIf the latter, however, they had better have a good reason why the community was not made aware of this considering the device has not had an end-of-support date let alone an end-of-sale date announced.
Like many others I've been waiting patiently for the release of the Anyconnect client that works with Meraki. Hopefully it's not going to be much longer. However, my business has not been able to wait endlessly for a solution to I've had to look for an alternate solution.
I've come across a client that works brilliantly and seems to tick all the boxes in terms of ease of use, simple to deploy, supports multiple profiles (if case you wanted to provide alternate client vpn site connections over a multi-site SD-WAN network), can redirect all traffic through the tunnel or allow local breakout and can easily standardise it by distributing the profile file. So for my org it's all the options we've been looking for with the exception of GPO deployment and administration. In our case we also opted to use an internal radius server for better security and configured the Meraki to provide certificate base authentication allowing users to connect using their AD username and password. It is a free client supplied by Draytek (intended for use with their Vigor routers). It support various connection types but the L2TP over IPSEC works seamlessly with the Meraki, is fast and like I said ticks all the boxes. Our only concern is it's not a Cisco products and either Draytek or Meraki can release an update at any time and boom, no vpn. As soon as Anyconnect is released we plan to switch but right now we sort of have no choice, especially since we've had real difficulty getting the native Win10 client to work (at that solution puts a load onto my helpdesk).
So with this in mind I just wanted to reach out to the experts here and ask if there is any reason to be concerned (security wise) about using the Draytek client? I also thought, for those that are desperate for a solution that works until Anyconnect is ready, that this might prove useful. For those who are interested to try it then the client can be downloaded here: https://www.draytek.com/products/smart-vpn-client
Just got the info that Anyconnect should launch in February.
The documentation is already online
I was wondering the same thing.
Here's my research and possible guess:
It looks like AnyConnect will require the "SDWAN Plus" license for the MX. I wonder if they will be hardcoding a limit of client VPN sessions based on their sizing guides?
For example, I have an MX84 with the "Advanced Security" license, which as per their sizing guide can support up to 100 client VPN sessions. (Though I think it can handle more being that I am only using it as a client VPN concentrator).
So I will have to buy an upgrade license to get the SDWAN Plus (1 Year SKU: LIC-MX84-SDW-1Y), which costs about $2,257 USD at CDW.com. And maybe the device will be limited to 100 client VPN sessions? (I hope not!)
The document is not referring to SDWAN Plus. I'm pretty sure it will be the existing AnyConnect Plus licensing.
At least this would make perfect sense because those enable you to use each available VPN headend in your environment, MX will soon be one of them.
That's helpful, as my understanding is that the Beta has had pretty typical licensing requirements with Advanced Security being sufficient, not sure about Enterprise.
Ahh. I wasn't aware of an AnyConnect Plus license. I haven't had to buy AnyConnect licensing in a long time.
So if I had approx 200 users that would use the VPN, I would be looking at the "AC-PLS-P-250-S" license?
Which on CDW.com is around $3,637.49 USD.
I wonder how they will apply the licensing with the MX's. Do you think it will be applied in such a way to enforce session count limits, or honor based?
I understand Cisco's R&D investment into Anyconnect, but to continue to charge very high costs for the remote client versus both the native clients and/or their competitors with Meraki will not go over well with their customers IMHO.
I understand Cisco's R&D investment into Anyconnect"
Haha, R&D investment for sure. This has been in development for 5+ years for some unknown reason.
I tend to agree. Meraki licensing fees, particularly for the more feature-rich packages, are already pretty significant. The SMB market is only going to be so tolerant IMHO. I already find Adv. Sec a hard sell compared to Enterprise with some orgs, so I can't imagine the conversation playing out well in telling them that the SSL VPN client will cost even more on top of that.
I'm hoping that either there's a significant discount or that it gets rolled-into the more expensive license packages. That would be saleable IMHO, if you only get Enterprise, you'd have to pay for AnyConnect licensing separately, but it would be rolled into Adv. Sec and up.
Agreed, Since it seems the client will not include a lot of ancillary features the Anyconnect client includes for the FTD/ASA version, licensing should be included in the Adv. SEC license.
I quickly calculated in CCW.
I'm in the EU though so prices and license names may vary.
The Anyconnect Plus licence for 200 unique users is~ 2400$ list price for a three year subscription
Which would be this L-AC-PLS-3Y-S2.
I'm not too familiar with Anyconnect licensing though so I might forgot something.
I'm guessing you'll just have to have active MX's and Anyconnect licenses. Hoping it will work with MX Enterprise also.
Please note that AnyConnect Licensing has nothing to do with the platform you‘re using as VPN headend! You‘re obliged to license the client itself, not the platform you‘re using to terminate that connection. Regarding that, Meraki doesn‘t have anything to do with the price you‘re paying for using the Cisco standard VPN client. 🙂