Meraki

joebrug

I have a vendor that uses AnyConnect to VPN to our Meraki MX105's. This used to work but isn't now. Potentially stopped working after 19.1.7.2 upgrade?

The user gets prompted for a DUO auth.. which goes through successfully. Seems to just be from EC2 instances. Any ideas? Logs below (IPs and usernames changed):

AnyConnect VPN connection event	"msg: Local[1.2.3.4.443] Peer[5.6.7.8.52000] Prot[TCP] Conn-ID[19909] Connection closed. "
AnyConnect VPN connection event	"msg: Local[1.2.3.4.443] Peer[5.6.7.8.52000] Prot[TCP] Conn-ID[19909] TLSv1.3 connection established. Cipher: TLS_AES_256_GCM_SHA384(4866) "
AnyConnect VPN connection event	"msg: Local[1.2.3.4.443] Peer[5.6.7.8.51942] Prot[TCP] Conn-ID[19903] Connection closed. "
AnyConnect VPN session event	"msg: Sess-ID[43] Peer IP=5.6.7.8 User[myuser@mydomain.com]: Session disconnected. Session Type: SSL, Duration: 0d:00h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested "
AnyConnect VPN client disconnected	"local_ip: 10.212.134.121, user_id: myuser@mydomain.com, remote_ip: 5.6.7.8"
AnyConnect VPN client disconnected	"local_ip: 10.212.134.121, user_id: myuser@mydomain.com, remote_ip: 5.6.7.8"
AnyConnect VPN session event	"msg: Sess-ID[43] Peer IP=5.6.7.8 User[myuser@mydomain.com]: Deleted TLS tunnel[43.1] from DB. Reason: User Requested "
AnyConnect VPN session event	"msg: Sess-ID[43] Peer IP=5.6.7.8 User[myuser@mydomain.com]: conn_id[19908] Added TLS tunnel[43.1] to DB "
AnyConnect VPN session event	"msg: Sess-ID[43] Peer IP=5.6.7.8 User[myuser@mydomain.com]: Allocated assigned IP=10.212.134.121 "
AnyConnect VPN client connected	"local_ip: 10.212.134.121, user_id: myuser@mydomain.com, remote_ip: 5.6.7.8"

alemabrahao

Take a look on the Known Issues:

New MX 19.1.7.2 stable release candidate: rolling back a fix and updates fo... - The Meraki Communit...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

joebrug

Hello.. I have looked at that list, not sure if any fit the bill. Are you suggesting one of the reasons in particular to explain this issue we're having?

alemabrahao

I would downgrade the version and open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

PhilipDAth

Interesing - it is saying the user requested the connection to be terminated.

"Reason: User Requested"

Does Duo say that it granted access?

Any recent Windows update on that server?

Are you using a recent version of AnyConnect?

joebrug

Yes, Duo says Granted Access for their IP. I have no idea about windows server they're coming from.. again, its a vendor, so don't have much control over. The Cisco Secure Client is maybe only a couple months old, if that, so yeah pretty recent. The only change I can think of, is the MX firmware upgrade from 18 > 19 two weeks ago.

PhilipDAth

That is suspicious timing.

Do you have access to an AWS environment where you could test if it is working or not?

joebrug

I don't, but all i've gotten from them is:

"Yes, we've tried 2 EC2 instances, both of which have connected without issues in the past. My laptop works if I connect directly to the vpn from there. "

Meraki

Community

Can't VPN from an EC2 instance any longer?

Can't VPN from an EC2 instance any longer?