Meraki

JNetworkMan05

Noticed a weird event while going through my Event logs on one of my MX firewalls. I am getting an AnyConnect VPN authentication failure with details stating "msg: SAML: SSO token verify failure for user: " and then for the user its just random names (just one name, first letter and last name, first and last name, etc.

Tracking down the IP leads me to the same IP that I am assuming is a proxy path coming from the internet?

Has anyone else experienced this issue? I am getting over 200 failed attempts per day and am worried that I should be doing something else to prevent these from even attempting to login?

Mloraditch

I can't say I've seen it on my MX, but I've seen plenty of these attacks in a general sense. Hackers find an open vpn portal and just throw stuff at it. If the IP is located in a different country, you could try blocking it via Layer 7 rules, although, I'm not sure that applies to AnyConnect.

If your MX is in concentrator mode you could try blocking upstream or if you have access to your internet router, null routing things. But there are generally limited options without more sophisticated tools.

Someone else may have seen these specific errors and may have something to add, but that's my initial thoughts.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

RWelch

While I don't personally have experience with this event, other forums suggest:

indicates that the Single Sign-On (SSO) token presented by a user could not be successfully validated by the system, meaning the user's identity could not be confirmed and access is denied, usually due to issues like an invalid token, expired session, misconfigured settings, or a problem with the identity provider certificate used to sign the token.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

JNetworkMan05

This makes sense. The problem is, all of these failed attempts aren't my users. They are just random names. So while the function of the Meraki is failing their login attempts by design, I am concerned by how often this is happening.

RWelch

If they aren't your users - block the source - and wait for someone to complain to help get a better understanding of what they are attempting to sign into. Allowing users on your network that aren't yours seems risk adverse to me but I am not familiar enough with your network.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

JNetworkMan05

This is where another piece of the puzzle gets tricky. It appears as though there is some sort of proxy path directing these and the source of the IP is the same IP as my "transit to Nexus" VLAN interface IP.

RWelch

Wishing you all the best on the resolution of the mystery and puzzle.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

PhilipDAth

Is it coming from a single country, that you want nothing to do with?

If so, you could try creating a L7 firewall rule. Never tested if it also blocks AnyConnect, but worth a go.

You could also try a L7 firewall rule to block this one IP address.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_a_Layer_7_Fi...

Another thought - this might mean one of your users machines is compromised, and that a token has been stolen from it, a token that has now expired and is no longer valid.

https://techcommunity.microsoft.com/blog/microsoftmechanicsblog/token-theft-protection-with-microsof...

Meraki

Community

SSO Token Failure Traffic

SSO Token Failure Traffic