Client VPN - MS Teams call drops when connecting to Cisco AnyConnect client VPN - Meraki MX84

SOLVED
Bonifas
Here to help

Client VPN - MS Teams call drops when connecting to Cisco AnyConnect client VPN - Meraki MX84

When a user connects to Client VPN using Cisco AnyConnect client during a MS teams call the call drops for a few seconds and then reconnects.

Dynamic Client Routing is enabled with " Send all traffic except traffic going to these hostnames" enabled which has "microsoft.com" included

What can cause this call drop? Is there a way to fix it?

1 ACCEPTED SOLUTION
KarstenI
Kind of a big deal
Kind of a big deal

"microsoft.com" is not enough to exclude from the tunnel. Here is a Cisco Tech-Note on the needed exclusions:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215343-optimiz...

View solution in original post

9 REPLIES 9
KarstenI
Kind of a big deal
Kind of a big deal

"microsoft.com" is not enough to exclude from the tunnel. Here is a Cisco Tech-Note on the needed exclusions:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215343-optimiz...

PhilipDAth
Kind of a big deal
Kind of a big deal

I just smashed this together.  Copy and paste this into Powershell.  It sends a query to Microsoft for the list of IP addresses used by Microsoft Teams.  Exclude these from your full tunnel VPN.

 

$clientRequestId = [GUID]::NewGuid().Guid
$uri = "https://endpoints.office.com/endpoints/worldwide?NoIPv6=true&clientRequestId=$clientRequestId"

$endpointSets = Invoke-RestMethod -Uri ($uri)
$Optimize = $endpointSets | Where-Object { $_.category -eq "Optimize" }
$optimizeIpsv4 = $Optimize.ips | Where-Object { ($_).contains(".") } | Sort-Object -Unique

Write-Host $optimizeIpsv4

 

KarstenI
Kind of a big deal
Kind of a big deal

This one is great for Windows users!

PhilipDAth
Kind of a big deal
Kind of a big deal

OR - don't use full tunnel.  Specify only the list of subnets required that AnyConncet users will need to access inside of your organisation.

...afterwards realize that you'll need another layer of security because there's no centralized endpoint protection anymore. Let me warmly welcome you to the funny world of SASE! 😎

And what are you going to do for the user when they are not connected to VPN ... not much difference really is there?

Bonifas
Here to help

Adding a point to the question - The whole idea of using full tunnel with Cisco Any connect here is to whitelist the public IP to Azure resources like Virtual machines, SQL managed instances etc. 

 

So that people get onto the VPN to connect to these resources & not really be able to connect from a different network

PhilipDAth
Kind of a big deal
Kind of a big deal

If that IP address is static you could include that in the AnyConnect encryption domain and not use full tunnel.

 

Use whichever approach is easier for you.  🙂

Bonifas
Here to help

Thank You All. Adding all the IPs from the below list helped. 

 

https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worl...

 

Appreciate your help @PhilipDAth @CptnCrnch @KarstenI 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels