We are using CISCO Anyconnect VPN client software to connect to our Meraki MX. Authentication Type is SAML using our idP provider (OneLogin) for MFA.
Sometimes, after a user enters their credentials in CISCO Anyconnect, it goes to a white screen box after mfa authentication. The box will stay there about a minute and will error out. The error is "CSRF token verification failed"
This happens randomly to different users at different times, making it hard to replicate the issue. The rest of the times, we are able to connect without an issue.
Has anyone see this issue before?
Solved! Go to Solution.
I've had one report of this, but the customer has since rolled back to 16.x so we can't troubleshoot any further. It would be great if you can open a Support case on this so they can gather some data to send up to Eng if needed.
We do have a case open with Meraki. We are still troubleshooting the issue. Just wanted to know if anyone else has seen this issue. Thank you.
This happens to us all the time. We had a case open with Meraki at one point, but I just gave up. The work around we have found is to re-upload the SAML Metadata File.
Meraki support got back to me and instructed me to downgrade my MX to firmware 16.16.6
My support agent told me that he has found related cases and this was the fix.
I am going to test it this weekend, hopefully all goes well.
Make sure it is 16.16.6, not 16.16
I had to get Meraki support to do it for me, as it was not an option for me.
What firmware version did you downgrade from? Did you also have issues with users being prompted for username and password, but no MFA, it would just connect automatically.
It was 17.x - i cannot remember the exact version number. No, i did not have issues with users being prompted for UN and password but no MFA. What is your Authentication Type set to?
Since we upgraded one of our MXs to 17.10.2, we've been having multiple VPN issues such as the CSRF error, users being prompted for credentials with no MFA at random times.
We're using SAML against Azure.
We upgraded to 17.10.2 two weeks ago and we have seen issue with AnyConnect and SAML. I've seen the white box and it hangs up for a minute and the user is able to login and also if a user selects to remain logged in and then it loops back to the email login again. We didn't have this issue on 16
I also have this blank box issue, but its rare the Bigger issue is Previously we could sign into the VPN disconnect and than reconnect and it would just connect again. NOW it not only prompts us each time the username field is blank. so y ou has to type in user and then select the MFA option. We noticed this a few weeks ago. I would prefer the browser cache and use that token but this feature seems to be lost, Any one else notice this behavior?
You will need to contact Meraki support and ask them to disable the "forceauthn" option (set it to false) for SAML authentication.
So we have a few clients with MX64 firewalls. Anyconnect functionality was not added until firmware version 17.10.2. So downgrading to 16.16.6 is not a solution for these firewalls. We also tried the beta 18.104 but the behavior is still the same (blank white windows as well as CSRF token validation errors). Seems like this feature is far from fully baked.
We found that even with the new AnyConnect client that we'd still have users get stuck after the saml login screens, typically the blank white page. To fix this create an OUTBOUND rule in Windows Defender Firewall for where ever you have \Cisco AnyConnect Secure Mobility Client\acwebhelper.exe and set it to ALLOW.
WE had to add the vpnui.exe as well. However, we find that even adding both of these, sometimes it fails again after initially being successful and the rules have to be removed and re-added. Clearly something else going on here.