Hi All,
I have multiple sites configured using various models of MX routers. At one site (lets call it base site) we have AnyConnect set up and working with the MX and using Azure as the IDP. It works a charm. However, I do not like relying on the internet connection of a single site for our increasingly heavy remote working requirements. I want to set up another one of our sites (lets call it second site) to also use AnyConnect and then enabled load balancing and backup servers.
Meraki only allows you to register AnyConnect once as an enterprise app in Azure but Azure can configure up to 256 identifiers and reply URLs per registration. The behaviour I find when trying to connect to the second site is the following:
My browser sets up a TCP session with the second site MX, the second site MX then replies with the info to contact the IDP (Azure). Browser the sets up and TCP session with Azure and I am prompted to enter my credentials. As soon as I enter my credentials I notice my browser is now communicating with the base site MX, and the connection ultimately fails.
After some research I have found that Azure will always reply to a SAML request with the default reply URL unless the specific reply URL is defined in the original SAML authentication request sent to Azure.
After speaking with Meraki support they have told me that I am butting up against a limit of the MX but I am still not certain given that there are 2 different MXs here. My only thought is that the SAML request sent to Azure after the initial communication with the MX simply does not include the reply URL and so Azure just replies with the default. This seems like a massive short coming as it means that each Meraki tenant can only have a single AnyConnect setup enabled regardless of the size of the tenant.
Any help would be greatly appreciated.
Phil