...and to comply with the licence conditions 😇

@CptnCrnch @PhilipDAth  I'm certain that I remember when going through the sales pitch(es) with ATT that the VPN user count was part of the deal. What does that pay for? Can you even use Secure Client without a support contract? It seems crazy to me that regardless of support contract status Cisco would allow people to use their VPN products with old software that contain critical vulnerabilities.

Does the AnyConnect VPN software download section in the Meraki interface ever get its software updated? Or is it just forever stuck on whichever version was available when you first set everything up?

FYI this is what is listed on the sales sheet the ATT rep gave me:

I can't speak for AT&T.

What I can tell you is that for my customers I sell them a "term" based AnyConnect subscription that matches their Meraki subscription.  These kinds of licences automatically include a support contract.  When I get the contract from Cisco I forward it onto my customer.

My customers are then fully entitled to use AnyConnect and can download the latest software from Cisco directly.  They can also ask me to download it on their behalf.

SWG is a Cisco Umbrella.
https://umbrella.cisco.com/products/secure-web-gateway

Cisco Umbrella does also offer a remote access solution (which does not use the MX option), called Secure Connect.  SecureConnect includes an engine that can do client updates automatically.

https://www.cisco.com/c/en/us/products/plus-as-a-service/secure-connect.html

It is not clear to me from your screenshot above which remote access solution you have been sold.  I would go back to AT&T and ask about how you get SRA configured (or even which solution it is that you have bought), and how you are meant to get software updates.

Thanks. Did you mean Secure Client? It looks like Cisco references "Secure Connect" as an umbrella term for their SASE and SD-Wan solutions:

That looks like the same page, and the Meraki devices and the software running on them that provide SASE/SD-Wan do indeed auto-update, but this is different than the VPN client. The VPN client is (was) AnyConnect which they are renaming or replacing with Secure Client. This is what I can't download or get to update. 

Thanks again for the help. I've sent several follow-up emails to my AT&T salesman informing him everything I've heard from here, Cisco and Meraki support, etc. and it's been radio silence for several days (once again--this is typical).

No, I meant Secure Connect.

The invoice you have from AT&T does not make it clear to me what you have bought.

Thanks for the reply.

They make it frustratingly difficult to even see what is available.... I found a couple of pages like https://www.business.att.com/content/dam/attbusiness/briefs/att-sd-wan-with-cisco-product-brief.pdf 

But it is essentially SD-Wan managed by ATT. That was the sales pitch. We got the highest package available which included Umbrella etc. This is what the sales guy sent me:

They were just launching Tier 3 which we ended up getting. The difficulty or breakdown seems to be that because it is "managed", things like full admin access are hidden from me and there doesn't seem to be a direct correlation between me and Meraki in terms of contracts etc. so I can't register to download patched versions of AnyConnect. I can't believe I'm the only customer asking for this but nobody seems to have an answer...

From my experience (if my understanding is correct of your problem) it depends on how they licensed it with Cisco. If its fully manged by ATT, they could have the licenses/support registered to ATT. If so, you cannot add the contract to your CCO for access to it by you. You would need to contact ATT every time you wanted to upgrade since they would be the owner of the device, and they would need to provide you access to the software.

If they registered the software/contract to you, then you can reach out and get the contract number or SO (Sales Order) number and associate it to your CCO for access to do it yourself. I doubt they would put it all in their name, but you never know. With subscription licensing it might make more sense to just keep it all in ATTs name and take from their pool of licenses as it's much less administrative effort just to keep up with their own vs every customer they manage.

If you notice it says Cisco Secure Client (Anyconnect) (Not VPN), and the Secure client does much more than VPN. NAM/Posture/ISE/etc are all part of Secure client. That part makes me think that VPN is not included.

Thanks for the reply. 

I have been patiently waiting for going on 3 weeks now for my ATT salesman to get me an answer or solution. So far he has just sent me the sales order on which there are no numbers that allow me to access downloads. 
Not sure where “vpn is not included”, but we most definitely have that as part of the package. When going through the sales cycle, I made it abundantly clear that we have both the sdwan users as well as remote users/work from home users. VPN has been up and running the entire time (although I get the same terrible SMB speeds as the sd-wan connection gets) and have always connected via Secure Client. Honestly, I still don’t understand what if any difference there is between Secure Client and AnyConnect. I thought the latter was replacing the former (or vice versa), but this thread has me wondering if that’s correct. Is there another VPN client that I’m not aware of besides SC/AC? That is the only way I have ever been able to get users onto the VPN. I do understand that it offers more than just VPN connectivity but I can recall seeing a different VPN client. 

In your last picture above it says (not VPN) so I dont know what that means at the bottom of the picture under the Umbrella DNS section. Secure Client is replacing Anyconnect. VPN (via Secure) is part of Secure Client now. Right now its the honor system, so if you enable it in the Meraki dashboard it just works. You should have corresponding licensing for all of your users, so im not just saying to turn it on without licensing (if you can since they have you restricted assuming you cant get there). 

You could reach out to Cisco TAC if you have a CCO with that sales order number and see if they can add the contract(s) to your profile. If that fails, then that means you are not entitled to that contract. Im speculating, but usually that means the company dosent match, i.e. its registered to ATT.

Speed wise, its based on the MX hardware and your ISP connection. My MX95 for example can do 800Mbps max throughput, and I can get upwards of 600mbps real world speeds through it over Secure Client.

Thanks again for the replies. 

Ah I see what you mean. I'm not sure exactly where the enablement is and as mentioned, I have kneecapped access to the Meraki admin since ATT is supposed to be managing things, but I do have the Client VPN page where I have set up the AnyConnect settings. Is this enablement etc. what is on the honor system? I'm certain we are paying for whatever licenses are needed for the VPN as I had to give a count of the number of users who would need VPN access. I really wish my ATT sales rep was as responsive now as he was before I signed on the dotted line...

I have in fact contacted CISCO TAC but so far they haven't been able to help. Last I heard from them they opened a Meraki case on my behalf but couldn't find the case number....

I've spent hours and hours on the speed issue. Have symmetric 1GB fiber connections which all speed tests verify as on or close. Other formats work fine--SFTP, https downloads, etc. it is just SMB that is terrible. After hours on the phone with Meraki and ATT support, the bottom line answer I got was: this is expected behavior (in spite of hearing that others do not have this problem over and over here on this forum). At some point, I just have to get things working which is why I had the MPLS line installed but for some reason, if the Meraki equipment is connected, I still get the same terrible speeds which hardly makes sense (a laptop connected to each end of the MPLS line can transfer files via SMB between each other with no issues; once one end of the MPLS line is connected to a MS switch or MX router, it all falls apart). 

Thanks for the update. If you have access to the Meraki Client VPN page, you can download Secure client from there:

Honor system is for Secure licenses. As you can see from the top of the picture, you can just turn it on and go. There isn't a check to make sure you have the required licenses for Secure client yet.

Salesmen are always very responsive until they get the sale 🙂

As for the SMB speeds, there are too many variables to say on that one. It could be MTU settings, platform settings and so on. If you are getting the proper speeds via other protocols over Secure Client, then you know the platform and end devices are capable. I would suggest doing a packet capture (no im not Meraki support lol) to make sure you are not getting a bunch of retransmissions, or fragmentation for SMB. I do not have MPLS on my end, but my MX hooks directly into a MS aggregation switch (10gbps) into a access switch via 10gbps with all clients connecting at 1gbps and I get the speeds I mentioned above.

Again, you have to take into account the speed of the end user (the vpn users internet connection), your head end internet connection. Overhead for IPS/AMP/URL etc.  Im assuming that you get full speed internally, its just over the vpn that its slow? If so, then its something going on with MTU etc which a packet capture from the remote vpn user, and the server hosting SMB should tell you where the problem is. Im assuming you are using Windows Server for SMB shares

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/slow-smb-file-transfer

https://community.cisco.com/t5/security-knowledge-base/anyconnect-mtu/ta-p/3150017

https://www.reddit.com/r/sysadmin/comments/2mt3jc/reducing_mtu_value_to_fix_slow_cifssmb_over_vpn/

Hopefully this helps!

Thanks. 

I know that the client can be downloaded from the Meraki AnyConnect page but the entire issue here is that what is available to download for me is an outdated version 5.1.6.103 which contains critical vulnerabilities. I'm trying to figure out how to resolve this. I cannot download from the linked Meraki download page because I don't have entitlement. It's an issue not just because it isn't good to be running vulnerable software, but our auditing software sees this and if affects our ability to get certifications. 

Yes, the end users all have 1GB+ connections, but more importantly is the issue with the SD-Wan connection which is under my control and verified as having symmetric 1GB connections that work fine with other protocols. I have also used different connections (One Verizon Fiber and the other Comcast Cable both 1GB symmetric) on the spoke end and Dedicated fiber and Charter Cable on the Hub side.  I have also read and tried every SMB tuning help article out there and nothing has helped unfortunately. I have tried every MTA, smbdirect, smbmultichannel, etc. I also believe that if it were a problem with some fundamental Windows server setting, I wouldn't be getting ~270MB/s file copy speeds on the LAN between the same server and same model clients. I only get the 5MB/s limit when traversing the SD-Wan connection or the VPN. 

Gotcha. I missed that part. That part is controlled by Cisco/Merkai for the version and download links. If its not the right one that you are looking for then, you dont have a choice but to get the contract issue fixed so you can get the latest version. You could also open a case with Meraki and see if they can update the links, or manually provide you with the fixed version that you require.

WIthout having all of the info for your SMB problem, since you know the LAN speed is good, I would get a case open with Meraki as well with the VPN speeds. It seems like the firewall is the bottleneck again since the LAN speeds are good. 5MB/s is very slow. It could be TLS vs DTLS, or a border device is blocking udp/443 for DTLS etc. Support would be the best recourse here since they have way more insight to the settings etc than I would. Its likely going to require packet captures on both ends (MX and end user) to see what is happening in the PCAP to determine where the issue lies. It could be asymmetric routing and so on. I'm just speculating, but you said other protocols are fine so I doubt it would be that. 100% guessing on the MSS, UDP vs TCP etc. I have seen this slowness before just on SMB because it was not using DTLS (udp/443) and using TCP/443, but I would still expect better than 5mbps.