When a user connects to Client VPN using Cisco AnyConnect client during a MS teams call the call drops for a few seconds and then reconnects.
Dynamic Client Routing is enabled with " Send all traffic except traffic going to these hostnames" enabled which has "microsoft.com" included
What can cause this call drop? Is there a way to fix it?
Solved! Go to solution.
"microsoft.com" is not enough to exclude from the tunnel. Here is a Cisco Tech-Note on the needed exclusions:
"microsoft.com" is not enough to exclude from the tunnel. Here is a Cisco Tech-Note on the needed exclusions:
I just smashed this together. Copy and paste this into Powershell. It sends a query to Microsoft for the list of IP addresses used by Microsoft Teams. Exclude these from your full tunnel VPN.
$clientRequestId = [GUID]::NewGuid().Guid
$uri = "https://endpoints.office.com/endpoints/worldwide?NoIPv6=true&clientRequestId=$clientRequestId"
$endpointSets = Invoke-RestMethod -Uri ($uri)
$Optimize = $endpointSets | Where-Object { $_.category -eq "Optimize" }
$optimizeIpsv4 = $Optimize.ips | Where-Object { ($_).contains(".") } | Sort-Object -Unique
Write-Host $optimizeIpsv4
This one is great for Windows users!
OR - don't use full tunnel. Specify only the list of subnets required that AnyConncet users will need to access inside of your organisation.
...afterwards realize that you'll need another layer of security because there's no centralized endpoint protection anymore. Let me warmly welcome you to the funny world of SASE! 😎
And what are you going to do for the user when they are not connected to VPN ... not much difference really is there?
Adding a point to the question - The whole idea of using full tunnel with Cisco Any connect here is to whitelist the public IP to Azure resources like Virtual machines, SQL managed instances etc.
So that people get onto the VPN to connect to these resources & not really be able to connect from a different network
If that IP address is static you could include that in the AnyConnect encryption domain and not use full tunnel.
Use whichever approach is easier for you. 🙂
Thank You All. Adding all the IPs from the below list helped.
Appreciate your help @PhilipDAth @CptnCrnch @KarstenI