AnyConnect VPN support for MX devices

SOLVED
SLR
Building a reputation

AnyConnect VPN support for MX devices

Good Day -

 

Any status on when we expect to have full cisco anyconnect vpn support for the MX appliances? Thank you in advance been asking for 3 years now. 

1 ACCEPTED SOLUTION
Nash
Kind of a big deal

I hate to be a buzzkill, @DillonofAnch17 but the sales reps have been saying "in the next 6 months" for the last couple of years. It's for reasons beyond their control, but I wouldn't get excited about AnyConnect support until you can start applying AnyConnect licenses to MX devices.

View solution in original post

112 REPLIES 112
SunnyJ
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Thanks for your patience. There is no update on the status and MX is still not supporting Cisco Anyconnect VPN at this time. However, Meraki is making exciting changes on a new beta firmware - 15.x. Please check back with Support periodically for a new feature. 

 

Thanks,

 

Sunny Joo

 

If this was helpful, click the Kudos button below. Also, If your issue was resolved, please mark the post resolved so other users can benefit in future.
lbouchard
Conversationalist

Where can we read more about new feature of the 15.x firmware?

@lbouchard I usually check these from dashboard: Organization -> Firmware upgrades. Running beta enabled org.

NFL0NR
Getting noticed

how much longer is 15 going to be in beta?  I've been hearing about "the wonderful advancements in firmware 15" for about 6 months.  

cmr
Kind of a big deal
Kind of a big deal

@NFL0NRfirmware stays in beta until I think ~10% of users install it, with 15.x incrementing rapidly this will take some time! We run 15.x on our production SDWAN but even with fairly regular updating we have some devices on 15.14, some on 15.15 and some on 15.16 so we aren't contributing much to the % of any of them...

DillonofAnch17
Getting noticed

@SLR While at Cisco Live last month I spoke with a few different Meraki employees who have spoken that the MX's will support Anyconnect eventually and it's more of a when and not if. This would be huge if it's going to be available on Beta. I will be watching closer now!

That‘d be phantastic news indeed!
Nash
Kind of a big deal

I hate to be a buzzkill, @DillonofAnch17 but the sales reps have been saying "in the next 6 months" for the last couple of years. It's for reasons beyond their control, but I wouldn't get excited about AnyConnect support until you can start applying AnyConnect licenses to MX devices.

SLR
Building a reputation

I second this...

 

 

Arnout
Conversationalist

Any update regarding the AnyConnect support? I really need this!

Rebry
Here to help

I am going to bounce this up again! 

 

anyone got any news? 

SLR
Building a reputation

I got an email that is actively in development. They think they will have a beta to announce very soon.

 

I will believe it when I see it.

 

they have been saying this for years.

dadinh
Here to help

Our sales rep just confirmed it going live in May this year!

Woohoo! 

 

It's the best news of this decade! 

Roska
A model citizen

Seeing is believing

lbouchard
Conversationalist

In the era of Trump and fake news, who can believe this anymore?

well true, but I like to believe in the good in people.
Since we also asked about this feature about 2 months ago, with the answer "no date", and now Meraki proactively informed us about this, there is maybe more to it than normally.
Roska
A model citizen

I believe you´ve managed to get some attention and into the closed beta group. Good luck, please post reply here if you hear something. Thanks

SLR
Building a reputation

I need in on any beta testing group for anyconnect support as we have been waiting forever since we first installed the devices into our org.

dadinh
Here to help

I'm currently on a Cisco training and I got it approved again.
Anyconnect for Meraki is more or less already finished is is getting implemented into the beta now.

Wow, finally, this will be GREAT!!!

Was told today same thing. I am getting an additional MX through SHI and my account manager was going back and forth with his Meraki point of contact. Then I remembered this thread so I asked him about AnyConnect. He came back and said that he was told AnyConnect is in beta and release should be late spring. Exciting news to say the least.

 

So the real question is: has anyone taken a 4K picture of Big Foot yet?

Nash
Kind of a big deal

You know, I really hope we can hear from some of the beta testers.

 

I need to know if this will let me create multiple VPN user groups and specify split tunnel easily or not. Like, is it AnyConnect AnyConnect? Or is it AnyConnect as an SSL VPN client, but no real changes otherwise?

cmr
Kind of a big deal
Kind of a big deal

I'd bet on it being the latter option...

Nash
Kind of a big deal


@cmr wrote:

I'd bet on it being the latter option...


Which is cool. I love dumping all of an end user's traffic out through my client's 10/1 Mbps DSL pipe when they're working from home and streaming music or Youtube.

In which firmware version it will be supported? I'm going to upgrade to 15.27 MX version but it seems still not mentioned... any news about it?

MX250/450 and MX67/68 are the testing platforms on closed beta.

cmr
Kind of a big deal
Kind of a big deal

@Roska what firmware version is needed, or is that not relevant?

Roska
A model citizen

EDIT: closed beta FW push. Unfortunately not aware of the FW version required.

NFL0NR
Getting noticed

The version has to be pushed to your device, and the only way that happens is if you get into the closed beta.

lmorel
Getting noticed

Once enabled by support in the closed beta, is it a all or nothing type of feature or an additional option and you can have mix and match versions of VPN client configs (meraki cloud, AD, Radius, etc)? (apologies in advance if I didn't use the proper terminology).

>I need to know if this will let me create multiple VPN user groups and specify split tunnel easily or not.

 

It's sad that such an expensive device can't do basic functionality. I can throw something like Untangle on some random hardware for free and do that with a single click.

RufTech
Conversationalist

Picture of Big Foot

anyconnect.PNG

Roska
A model citizen

@RufTech and it works? 🙂

Bsalami
Meraki Employee
Meraki Employee

AnyConnect is still in development. @RufTech I love the teaser. I will update this thread when AnyConnect on the MX is  available for wider beta testing!

cmr
Kind of a big deal
Kind of a big deal

@Bsalamican you please confirm whether it is simply a proprietary client or allows more flexibility for the actual client VPN function?  From the screenshot posted by @RufTech I am hoping the latter...

routerjockey
Conversationalist

As the name implies... I would assume it is Cisco AnyConnect. Not connect "any" VPN client support.

 

Any update on the beta becoming more widely available? I assume it will be a similar manner to how Cisco FTDs support AnyConnect and you will have to just drop the policy .xml into the portal?

It's June, wondering if you have heard anything.

No updates from my rep.
Duke_Nukem
Getting noticed

I contacted my VAR to see if he's heard anything from his rep at Cisco.  They told him that it will only be available to the MX250/450 and MX67/68.  He also they said it would go Public Beta Q1 FY21 (August of this year).  

 

This can't be limited to just those models.  That's crazy.  Say it ain't so.

cmr
Kind of a big deal
Kind of a big deal

I'm guessing the MX64, MX84 and MX100 might be about to be replaced then...?

@Duke_Nukem   Those models are correct. You gotta do beta with some platforms.

I'm not talking just beta.  My fear is they will roll this out to only those models.  Can a Cisco Meraki employee confirm?

My Meraki rep confirmed that this does not apply to the MX-100.  I'll be looking for an alternative appliance solution.

Hello,
Did you find a solution?
Thank you

Love the crickets....

AC support will be on all current MX HW models. Learned it on last weeks Ask me anything session

In your statement of "all current models", does that include the MX84?

 

Thanks

I believe so yes, but @Bsalami is probably the correct person to confirm. ask me anything session a few weeks back got a suggested timeline for public beta so the train keeps moving on which is obviously a good thing.

AET-Tech
Comes here often

@Bsalami Is there any news on the MX client? Everyone working from home and we want to force the corp/vpn connection. I had to develop a powershell script to auto vpn users.

No update from my Meraki rep.  Utterly ridiculous that it has taken this long, assuming they are doing anything.  At this point, I am looking at moving as much as possible to the cloud to not only eliminate the need for VPN but to be able to completely ditch the 20 Meraki devices once my 3 years is up in 2021.  

 

I am not a big fan of open source, especially with security stuff.  I did try this vpn client from draytek and was able to connect just fine.  Connection seemed to be stable for the 4-6 hours I used it.  Also not thrilled with the connection saying "Connected to Vigor"  - that sounds a little scary to users.  Maybe it is completely safe and there is a way to change the connection info?  I just don't have the time to spend on it. 

 

https://www.draytek.com/products/smart-vpn-client/

Hello,

 

Hope everyone is doing well. We will be starting a new round of BETA testing soon. I will update this thread with details. I know the anticipation is real, just know that we can't wait to get BETA started! More details to come. 

 

This post was sent over my AnyConnect session on an MX100. So the MX100 and MX84 will support AnyConnect. We got you too!. 

Owen
Getting noticed

The MX84 and MX100 use Intel CPU's where the smaller MX firewalls use ARM cores. Does this mean Anyconnect isn't supported on the ARM CPU devices?

@Bsalami Is there anything being discussed about Anyconnect for vMX? We bought the license but we are avoiding using it as SSLVpn isn't supported. 


This post was sent over my AnyConnect session on an MX100. So the MX100 and MX84 will support AnyConnect. We got you too!. 

This is good news.  I'd be happy with an MX84 replacement but will be glad to use AnyConnect on my existing device.  Should we contact our rep if we want to be included with this next beta phase?

Hi,

is there any plans to support AnyConnect also in vMX100 models? I think support is important since many customers have no services onPrem, but instead all services are located in "private cloud" inside public cloud like Azure.

 

Some Meraki customers which I know, needed to learn/deploy vASA to enable AnyConnect SSL VPN for employees with Azure AD authentication (2MFA enabled).

@MikaVuokko  a bit of topic for this threat but Meraki just announced a rebranding on VMX100 which is going to be called medium. LIC-VMX-M and the duration for this after they update global price list. The reason for this being that they´ll introduce small and large versions for the VMX family later on this year.

AnythingHosted
Building a reputation

We have an MX84 and would be happy to run any beta testing if we can be included in the next phase. 

Any updates yet?

No word yet from my Meraki rep.

OVERKILL
Building a reputation

We would definitely be interested in it, as I'm currently using an ISR to service AnyConnect clients and landing them on the MX84 would be a heck of a lot better. 

Will MX64 & MX65 also support AnyConnect VPN? Meraki has a current Remote Worker promotion on the entire MX family. Not much of a remote worker/VPN solution when/if the MX64 doesn't support AnyConnect when the firmware finally (if Meraki ever get their act together) goes GA is it? If it was never intended to be available for certain MX models then Meraki should have mentioned so on spec sheets and/or roadmaps so partners would have known to not be selling MX64 or MX65 with the expectation it would support AnyConnect at some point.

CHARTER
Forward, Together
cmr
Kind of a big deal
Kind of a big deal

@JPAWELCHAK isn't that promotion focussing on hardware clients for remote workers, i.e. z3 and small MXs or am I misunderstanding?

JPAWELCHAK
Getting noticed

@cmr No, the Remote Worker incentive/promotion applies to the entire MX family promoting it as a remote worker solution which would obviously include client VPN on the MX64 for a small office. Not much of a remote worker solution for end-customers wanting reliable client VPN option using AnyConnect on an MX64 device that hasn't even reached end-of-sale yet because Meraki isn't giving any clarity on what MX devices will support AnyConnect when/if the firmware ever goes GA. If the intent was never to support the MX64 which has yet to reach end-of-sale then they should have been upfront on that rather important detail.

 

It's frustrating that Meraki can't communicate effectively on this topic especially since they have put the word out there AnyConnect is coming. That said, if it was never intended for the MX64 they should have said so so we didn't sell the devices with the expectation AnyConnect support would be coming.

CHARTER
Forward, Together
cmr
Kind of a big deal
Kind of a big deal

@JPAWELCHAK I agree that some clarity of a product already in closed beta would be good.  It seems that MX84 and above will support AnyConnect at some point (MX16?) but if the MX6x devices will not be included, that would be better to state now, not wait until it comes out as a footnote of a product release.

JPAWELCHAK
Getting noticed

@cmr  Exactly!

 

FYI: My understanding is MX67/68 are supporting AnyConnect on the Closed Beta (unless that has changed without my knowledge) but why not the MX64 without any indication either way when the firmware goes GA from Cisco Meraki.

 

Honestly, I'm starting to muse that Meraki Community staff are perfectly happy to let important questions go unanswered. Nobody from Meraki appears to rush to answer anything in any sort of useful detail on this and/or many other fronts. All it takes is someone to say "MX64 is not currently supported on the AnyConnect beta but will be supported when support goes GA" OR "MX64 is not currently supported on the AnyConnect beta and will not be supported when support goes GA". iIf the latter, however, they had better have a good reason why the community was not made aware of this considering the device has not had an end-of-support date let alone an end-of-sale date announced.

CHARTER
Forward, Together

Z3 is great, had one at home in a trial before we deploy to our directors.  Really like it and its in the office waiting to be deployed now, I've moved to an MX68 at home, only because we closed an office and it was going spare..

 

When all is said and done, I'll have 30-40 people working remotely.  Not going to invest any more money into additional Meraki solutions at this point.  

@Bsalami Is there an estimated date of release?

Have not heard anything from my Meraki rep.

We had an "exklusive" look at it 2 weeks back, since one of our customers desperately wanted to see it.

Also got the info, if you're a Meraki customer already, you can ask you sales rep to be included into the beta. Not a 100% chance you getting into it though. Probably better chances if you have full stack and lots of Meraki stuff (and obv. a MX).

We keep hearing next FY for the open beta. (Which would be starting August)

My recommendation to everyone is to find a different VPN solution.  Meraki is just stringing everyone along and trying to get them to upgrade to more expensive equipment.  The "beta" story hasn't changed in 8 months, and the "release date" keeps getting pushed back.  Let's face it, Meraki (Cisco) already has the AnyConnect client in production and has for years.  If it was important to them they would have put their top engineers on the issue, and modified the existing AnyConnect client to work with Meraki and specifically the MX models.  Would have taken a month at the most.  Hell, the native Apple/MAC client works and connects, MS Win10 client works (when it wants to) and the DrayTek VPN client I mentioned in an earlier post seems to work.  Even if they decided to start from scratch, this issue should have been resolved 6 months ago. 

I don't disagree with any of the statements made on this

Stealth_Network
Getting noticed

I'll make the popcorn...

NickCMT
New here

Just use the Draytek client for now, it seems to work fine.

AET-Tech
Comes here often

except i need to force my users to use vpn. they will not do it if we tell them to. only way i have had any luck is with a powershell script. even then its buggy. any ideas on how to force the vpn connection?

I have also had better luck with the Powershell script to add the VPN for Windows 10 clients but still run into the occasional computer that drops settings.  It'd be nice to use AnyConnect, even nicer if I can transfer my perpetual AnyConnect licenses from my ASAs to new MXs.

Let's hope that AnyConnect for Meraki does not require further licences!

cmr
Kind of a big deal
Kind of a big deal

🤣@AnythingHosted You made my Friday with that, I might work for a gambling company but I dont think that we'd give odds on there not being a charge.  I could be pleasantly surprised though 🤞

Haha, yeah I don't see them giving this away for free. It's obviously incredibly amazing software since it's taken years to develop.

@Bsalami Curious since this is still a unicorn right about now: what kind of MFA support should we be expecting once the AnyConnect client is released?

 

Or anyone who might be evaluating the beta AnyConnect client on a MX, would you care to share how you can handle MFA for Client VPN access? After all, Duo Security was acquired by Cisco. Just like Meraki.......................................

 

It would be amazing if we could get some decent updates around here. I already complained to my Meraki rep about the serious lack of communication from Meraki to the masses. In comparison, it almost makes the White House look like masters in public relations in the last 6 months over anything that is COVID19 related......

@lmorel I would be willing to bet that they will allow us to point to a radius server for external auth.  If that the case then you can use a Duo Authentication Proxy or Network Policy Server (NPS) extension for Azure MFA.  I have been using Duo with the current Client VPN and it has been working just fine.

On a Meraki Partner update today, the Anyconnect VPN was brought up several times. We were told that when version 15 of MX's software is GA released that v16 will be made into a beta and v16 has the AnyConnect support.

AnythingHosted
Building a reputation

I took this as a slight cop-out. Hasn't v15 been in beta  for over 2 years?

 

I don't think there has been a stable release candidate for v15 either!?! I was under the impressions that the different  stages were derived by the number of "stable" beta installs without reported issues?

Seriously, V15 has been in beta a long time. So how many years until V16 comes out in GA? It's baffling that a Meraki rep mentioned this was on their "short list" 5 years ago, and yet we still have years to wait. It's not even new software, why is this so hard to make happen??? I have so many issues with site-to-site with 3rd party firewalls that I have to keep a separate firewall online to handle those in some cases. Can't they at least make client connections easy?

 

"ciscomerakiCisco Meraki 6 points 5 years ago 

jdc,

I actually wrote the KB article you linked to. I wouldn't say that we don't put any development resources into client VPN. It would be more accurate to say that we don't devote resources to working on the EXISTING LwTP/IPsec Client VPN implementation because we want to remove it entirely in favor of SSL VPN/AnyConnect support. I don't have an ETA on this unfortunately, but it's on the short list of features to work on once we get through our current IWAN feature release later this calendar year."

DontBreakIt
New here

Hi

 

Like many others I've been waiting patiently for the release of the Anyconnect client that works with Meraki. Hopefully it's not going to be much longer. However, my business has not been able to wait endlessly for a solution to I've had to look for an alternate solution. 

 

I've come across a client that works brilliantly and seems to tick all the boxes in terms of ease of use, simple to deploy, supports multiple profiles (if case you wanted to provide alternate client vpn site connections over a multi-site SD-WAN network), can redirect all traffic through the tunnel or allow local breakout and can easily standardise it by distributing the profile file. So for my org it's all the options we've been looking for with the exception of GPO deployment and administration. In our case we also opted to use an internal radius server for better security and configured the Meraki  to provide certificate base authentication allowing users to connect using their AD username and password. It is a free client supplied by Draytek (intended for use with their Vigor routers). It support various connection types but the L2TP over IPSEC works seamlessly with the Meraki, is fast and like I said ticks all the boxes. Our only concern is it's not a Cisco products and either Draytek or Meraki can release an update at any time and boom, no vpn. As soon as Anyconnect is released we plan to switch but right now we sort of have no choice, especially since we've had real difficulty getting the native Win10 client to work (at that solution puts a load onto my helpdesk).

 

So with this in mind I just wanted to reach out to the experts here and ask if there is any reason to be concerned (security wise) about using the Draytek client? I also thought, for those that are desperate for a solution that works until Anyconnect is ready, that this might prove useful. For those who are interested to try it then the client can be downloaded here: https://www.draytek.com/products/smart-vpn-client

Where did you set the certificate based authentication?

Do you have some screens to share?

Just got the info that Anyconnect should launch in February.
The documentation is already online

https://documentation.meraki.com/AnyConnect_on_ASA_vs_MX

Does anyone know how the licensing works for AnyConnect on MX?

I was wondering the same thing.

 

Here's my research and possible guess:

 

It looks like AnyConnect will require the "SDWAN Plus" license for the MX. I wonder if they will be hardcoding a limit of client VPN sessions based on their sizing guides?

 

For example, I have an MX84 with the "Advanced Security" license, which as per their sizing guide can support up to 100 client VPN sessions. (Though I think it can handle more being that I am only using it as a client VPN concentrator).

 

So I will have to buy an upgrade license to get the SDWAN Plus (1 Year SKU: LIC-MX84-SDW-1Y), which costs about $2,257 USD at CDW.com. And maybe the device will be limited to 100 client VPN sessions? (I hope not!)

CptnCrnch
Kind of a big deal
Kind of a big deal

The document is not referring to SDWAN Plus. I'm pretty sure it will be the existing AnyConnect Plus licensing. 

 

At least this would make perfect sense because those enable you to use each available VPN headend in your environment, MX will soon be one of them.

OVERKILL
Building a reputation

That's helpful, as my understanding is that the Beta has had pretty typical licensing requirements with Advanced Security being sufficient, not sure about Enterprise. 

Ahh. I wasn't aware of an AnyConnect Plus license. I haven't had to buy AnyConnect licensing in a long time.

 

So if I had approx 200 users that would use the VPN, I would be looking at the "AC-PLS-P-250-S" license?

Which on CDW.com is around $3,637.49 USD.

 

I wonder how they will apply the licensing with the MX's. Do you think it will be applied in such a way to enforce session count limits, or honor based?

@mattalley 
I quickly calculated in CCW.
I'm in the EU though so prices and license names may vary.

The Anyconnect Plus licence for 200 unique users is~ 2400$ list price for a three year subscription
Which would be this L-AC-PLS-3Y-S2.
I'm not too familiar with Anyconnect licensing though so I might forgot something.

I'm guessing you'll just have to have active MX's and Anyconnect licenses. Hoping it will work with MX Enterprise also.

CptnCrnch
Kind of a big deal
Kind of a big deal

Please note that AnyConnect Licensing has nothing to do with the platform you‘re using as VPN headend! You‘re obliged to license the client itself, not the platform you‘re using to terminate that connection. Regarding that, Meraki doesn‘t have anything to do with the price you‘re paying for using the Cisco standard VPN client. 🙂

TI_Master
Conversationalist

How do you view that link?  I keep getting redirected to okta and it asks for a Meraki login (guessing its not for public view?)

Bruce
Kind of a big deal

I believe its not for Public view (was probably put up by mistake). I'm sure it will become visible again when MX16 gets into public beta.

lmorel
Getting noticed

Yeah, I regret not taking a screenshot. They locked it down shortly after. It's funny, I asked my Meraki sales rep and his engineer about it and forwarded the link. Then I implied that it was getting frustrating that here we go once again, getting some new info that might be conflicting with everything else we hear or read so far. The engineer came back the next day with a "hey, I can't even access this link!". And I thought he was messing with me only to realize they locked it down and even he couldn't access the info.............. dude, for real. ???

If you want to shoot me a message with your email, I happened to grab a PDF export of the page out of Google cache last month. It has a features breakdown in terms of what is or isn't supported by Meraki MX. They mention firmware MX 16.2+ in the document.

I'm good.  Since we are moving to a more formal remote work policy (with or without COVID), I decided the best course is to invest my time and energy in moving things to the cloud and eventually eliminating the Meraki VPN.  I can deal with the Win10 VPN disconnects until I get everything to the cloud.  

Stealth_Network
Getting noticed

I understand Cisco's R&D investment into Anyconnect, but to continue to charge very high costs for the remote client versus both the native clients and/or their competitors with Meraki will not go over well with their customers IMHO.

"

 

Getting noticed

I understand Cisco's R&D investment into Anyconnect"

 

Haha, R&D investment for sure. This has been in development for 5+ years for some unknown reason.

I tend to agree. Meraki licensing fees, particularly for the more feature-rich packages, are already pretty significant. The SMB market is only going to be so tolerant IMHO. I already find Adv. Sec a hard sell compared to Enterprise with some orgs, so I can't imagine the conversation playing out well in telling them that the SSL VPN client will cost even more on top of that. 

 

I'm hoping that either there's a significant discount or that it gets rolled-into the more expensive license packages. That would be saleable IMHO, if you only get Enterprise, you'd have to pay for AnyConnect licensing separately, but it would be rolled into Adv. Sec and up. 

Agreed, Since it seems the client will not include a lot of ancillary features the Anyconnect client includes for the FTD/ASA version, licensing should be included in the Adv. SEC license.

That would be nice if they rolled it in to Adv Sec license since that is what I have 🙂

I vote for that.

shauno
Here to help

Still no updates on AnyConnect for the MX?

 

I'm guessing if it's in Firmware 16.x (like mentioned above), then the older appliances won't support it (as they don't run 15.x)?

cmr
Kind of a big deal
Kind of a big deal

@shauno I think you are correct, in that devices that cannot run 15.x will not be able to run 16.x where AnyConnect support comes in.

 

I'd also eager that until more people upgrade their MXs to 15.x we'll still be waiting...

Bsalami
Meraki Employee
Meraki Employee

Hello All,

 

It's been a long wait, but finally we are happy to announce that AnyConnect is now available on the Meraki MX as a  public beta feature on the MX16.X firmware.

To learn more about AnyConnect on the MX please visit AnyConnect on the MX

 

Thank you all for your patience!

Great news! (Finally)

 

will it work with DUO?

Yes!

Hello,

 

as the new firmware is in Beta and doesn't support some features like multicast over LAN, Could you please tell me, how long does it take to get a productive version of MX16.x Firmware? We need to run anyconnect on our devices but as long as the firmware Beta version is, we can not use it in the production world.

 

Best Regards!

 

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels