Around 11:20am EST our MX250's Anyconnect service failed. Users couldn't reconnect and a soft reset of the service didn't solve the problem. Initially the error we got on reconnect was:
"Anyconnect was not able to establish a connection to the specified gateway. Please try connecting again"
Immediately followed by message:
"The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway: Other error"
After the service restart, our users no longer receive either message above. Briefly during new connection attempts the client flashes "Failed contacting (our MX DDNS hostname)", then changes to "please enter your username and password" and pops up the normal login prompt. after entering creds it just sits and then times out.
I hopped on the horn with meraki support and they confirmed we're not the only customers affected and they're currently working with product and dev teams to resolve and come up with a fix.
We're running MX250's in HA
on-prem RADIUS Auth
Yes, we were running 16.16.2. Meraki support had us reboot and then upgrade to 16.16.6 but that didn't fix the issue. They said it's an issue affecting multiple customers now, so waiting for an update via email.
We're on 16.16.0 and they were suggesting we upgrade to 16.16.6... then stopped me right before I did it. Thanks for being the guinea pig I guess?
FYI, it's not related to this issue (refer to this thread for updates), but if you're still running 16.16, be aware that there's a DoS vulnerability that may disrupt AnyConnect services: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-vnE...
It is still recommended that you update to a fixed version as soon as possible.
Thanks Alex. The support rep informed me of that vuln too and they confirmed this wasn't related. We'll upgrade the appliance as soon as this issue is fixed providing the target FW isn't affected.
Alex, For those of us that were up to date on our patchwork can you tell me if there is any kind of follow up action who's results will be shared to the community so that they can explain what happened and how it is being addressed? I appreciate consideration you may make in response to my question. Thank you, Scott D Hansen - DBA - Systems Engineer
Same thing is happening to us - initially it was failing on a couple of our sites, and working on others. As of 10 min ago its not working on any of our remote sites. We're running 17.10 on all of our MX's
Just got this link in regards to my ticket : https://community.meraki.com/t5/Meraki-Service-Notices/MX-AnyConnect-Client-VPN-issue/ba-p/173350
Looks like the issue has been resolved on my end. I received this reply on my ticket -
"At this point in time, the issue with AnyConnect VPN should now be resolved. If you are still having issues, try to make a minor Dashboard config change, wait for the MX to register the change, and try again. Please reach back out if that has been tried and AnyConnect still is not working."
Initially it would not connect so I followed the instructions and went into each MX with AnyConnect Enabled and made a small config change and saved that change. My Change was just changing the text of the AnyConnect login banner. After the change was made and the MX updated the config I was successfully able to connect to all MX's with AnyConnect enabled.
My dashboard is reporting the following message.
We are investigating an issue where a small number of MX Security Appliances running AnyConnect client VPN are failing to accept new connections, starting around 10/27/2022 14:45 GMT. Our development team has identified the problem and is working to resolve the issue as soon as possible. Please note that Dashboard config changes on all MX networks with AnyConnect enabled may be delayed until the issue is resolved.