AnyConnect with Azure AD SAML - User's get "Can't reach this page"

SOLVED
KPI
Here to help

AnyConnect with Azure AD SAML - User's get "Can't reach this page"

Firmware 17.8 (same issues with 16.16)

 

Set up AnyConnect Azure AD SAML. One user authenticates successfully and receives 'Can't reach this page' in the Cisco AnyConnect Login box after providing MFA.

KPI_3-1656684295814.png

 

When I test with my admin account, this first time it hangs after successful MFA and finally gives a 'CSRF token failed' message. Then each time I attempt afterward it will successfully connect. Here is the AnyConnect log showing the first failed attempt and the subsequent successful attempt:

KPI_0-1656683963738.png

 

I notice the first time, I don't see the banner message. Both users testing (including myself) are in the Azure AD enterprise app group.

 

My AnyConnect / Azure AD settings:

KPI_1-1656684073084.png

 

KPI_2-1656684170301.png

 

1 ACCEPTED SOLUTION
KPI
Here to help

Update: After speaking with Microsoft and Meraki support and getting back to square one, I decided to try changing the primary WAN from 2 (Verizon) to 1 (Comcast). This apparently worked. My connection worked every time, and a user who never had a successful connection worked every time as well. There was/is some loss (and I mean 1-3% every so often on the Verizon circuit), so maybe that's part of the issue. We are going to contact Verizon to see if they can check the circuit/signal.

 

Another note: Make sure your CA policies are in good order. I found that a user was being checked by the wrong CA policy first, and that policy was causing issues. Make sure to exclude AnyConnect from all other policies so that only the appropriate policy applies to enforce MFA.

View solution in original post

5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

That is unusual.  With an error like CSRF it is usually broken everytime.

 

Are running a current stable firmware release on the MX?

 

As a matter of interest, does the MX have a public IP address on it?

Thanks for response. Current version is 17.8 which is seemingly stable. Yes, there is a static public IP on it. In fact there are two static IPs (two ISPs) that are active. Maybe that is an issue? Perhaps I should configure one as backup.

KPI
Here to help

It seems to work on every other connection. I've also run a packet capture and I don't see any data on the failed attempts. Could this be some Azure AD response requirement that is not showing up correctly, and then ultimately times out?

KPI
Here to help

Update: After speaking with Microsoft and Meraki support and getting back to square one, I decided to try changing the primary WAN from 2 (Verizon) to 1 (Comcast). This apparently worked. My connection worked every time, and a user who never had a successful connection worked every time as well. There was/is some loss (and I mean 1-3% every so often on the Verizon circuit), so maybe that's part of the issue. We are going to contact Verizon to see if they can check the circuit/signal.

 

Another note: Make sure your CA policies are in good order. I found that a user was being checked by the wrong CA policy first, and that policy was causing issues. Make sure to exclude AnyConnect from all other policies so that only the appropriate policy applies to enforce MFA.

KPI
Here to help

I will mark this as acceptable. We are talking with Verizon at this point to discuss the WAN connection.

 

In short, if you see what seem to be random issues as described above:

1. Test with the other WAN (if you use two WANs in load balance or fail-over mode

2. Make sure your AnyConnect Enterprise App is only tied to ONE Conditional Access policy

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels