Meraki

Community

SQL access breaks for AnyConnect client

Nova-th
New here
yesterday
yesterday

SQL access breaks for AnyConnect client

Hi All,

 

I have a client (w11 laptop running AnyConnect 5.1.4.74) terminating at an MX105 running MX 18.211.2.  The client works as expected except for an SQL application that uses a remote server behind the MX105.

 

Looking at the pcap, the client conversation looks fine up to the SQL pre-login message.  It is at this point I see It doesn't get a response and then moves on to the SSL handshake.

 

When I bring the client on prem, the pcaps shows the pre-login message, but the next packet has the SQL server response.  Then comes the SSL handshake.

 

I got on the server and verified that it does indeed send the pre-login response, but it doesn't make it through to the client.

 

Has anyone seen this behavior or know if there anything Meraki wise that could block the SQL response to the pre-login message packet?

 

I appreciate your insights.

 

Thanks,

Mike

0 Kudos
4 Replies 4
Mloraditch
Head in the Cloud
yesterday
yesterday

I've never encountered this specifically. Have you packet captured the lan of the MX to verify the packets are arriving?  I'd perhaps test with AMP or IPS turned off temporarily. I've seen and heard them incorrectly blocking things over the years. You also may just want to call support as they can trace down the packets inside the MX and see if something else is causing them to drop.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Nova-th
New here
yesterday
yesterday

Thanks M, yes both AMP and IPS are disabled, we haven't ever turned them on.

 

I haven't ran a capture on the MX yet.  My captures were run on the server and the client.  I will since support will likely want that.  I've already opened a ticket though.

 

Thanks for your thoughts.

Mike

PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

I'm going to bet this is an MTU squeeze.

 

On the SQL server find the name of the Ethernet interface with:
netsh interface ipv4 show subinterface 

Then trying lowering the MRU with:
netsh interface ipv4 set subinterfaceEthernetmtu=1300

 

If that solves it, you can make the change permanent with:
netsh interface ipv4 set subinterface “Ethernet” mtu=1300 store=persistent

0 Kudos
Nova-th
New here
yesterday
yesterday

Hi Phil, yes MTU did occur to me as well.  I checked the eth2 sub int, used by the vpn client, the MTU is 1255 and ping -df implies I could go higher.

 

@Mloraditch - I did a capture on the MX internal interface.  The conversation is normal, so the MX appears to be the culprit.

 

I have not heard from Meraki yet, but I'm guessing it's on their end.

 

Thanks everyone.

Mike

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.