Azure AD with SAML SSO Weird Issue (vMX - Anyconnect)

ToryDav
Building a reputation

Azure AD with SAML SSO Weird Issue (vMX - Anyconnect)

Hi All,

I setup an Anyconnect server on a Azure vMX and at first everything was working just fine - VPN worked with SSO, domain joined PCs would just auto-login to the VPN and could access resources in Azure just fine.

Then after about 1 week (nothing changed) the VPN stopped authenticating. It would still display the "success" window on login attempt, but it just hangs and never logs in. 

If you close the window, Anyconnect thinks the user cancelled auth and it doesn't connect. Below is the window that pops up on login. 

ToryDav_0-1657290195110.png

6/30/2022 - Anyconnect Message log

 

     11:11:13 AM    Contacting VPN.

 

     11:15:26 AM    User credentials prompt cancelled.

 

     11:16:26 AM    Ready to connect.

 

     11:43:44 AM    Contacting VPN.

 

     11:44:06 AM    User credentials prompt cancelled.

 

     11:44:06 AM    Ready to connect.

I even tested with a test user on a non-domain joined PC and the corporates SSO login page opens fine and I can login, then this window pops up again and the connection hangs. 

Changing auth type from SAML to Meraki Authentication allows users to connect with Meraki credentials, so I know the vMX and Anyconnect server is fine, the issue lies within the SAML, but it worked beautifully and then stopped.

MX code is 16.16

Any thoughts or tips to pursue a fix for this?

 

2 REPLIES 2
PhilipDAth
Kind of a big deal

That is weird!

 

What dos the Azure sign-in logs say?

 

I think I would recheck all the settings again.

ToryDav
Building a reputation

absolutely nothing! As if the sign-in doesn't even occur. We rebuilt the SSO app and it is working again. So I will have them test for a period of time and see if the issue comes back around..

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels